04-10-2019 08:25 AM - edited 02-21-2020 09:01 AM
Have an ISPEC tunnel between an ASA and Router that will go down periodically and not be able to be brought back up and/or both sites can't reach each other unless the SAs are manually renegotiated on my end. Below is debug for platform/protocol 127 (changed IPs for security).
I am also looking for good docs in regards to reading IPSEC debugs or logs in general to be more familiar with the IPSEC commication process.
# IKEv2-PROTO-7: (27628): Timer expired, Sending DPD
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (27628): Action: Action_Null
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (27628): Sending DPD/liveness query
IKEv2-PROTO-4: (27628): Building packet for encryption.
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PLAT-4: (27628): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (27628): Action: Action_Null
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (27628): Checking if request will fit in peer window
(27628):
IKEv2-PROTO-4: (27628): Sending Packet [To 100.1.1.1:500/From 200.1.1.1:500/VRF i0:f0]
(27628): Initiator SPI : B537105995B57695 - Responder SPI : 65C53893C7ED92A9 Message id: 337
(27628): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (27628): Next payload: ENCR, version: 2.0 (27628): Exchange type: INFORMATIONAL, flags: INITIATOR (27628): Message id: 337, length: 88(27628):
Payload contents:
(27628): ENCR(27628): Next payload: NONE, reserved: 0x0, length: 60
(27628): Encrypted data: 56 bytes
(27628):
IKEv2-PLAT-5: (27628): SENT PKT [INFORMATIONAL] [200.1.1.1]:500->[100.1.1.1]:500 InitSPI=0xb537105995b57695 RespSPI=0x65c53893c7ed92a9 MID=00000151
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(27628):
IKEv2-PROTO-4: (27628): Received Packet [From 100.1.1.1:500/To 200.1.1.1:500/VRF i0:f0]
(27628): Initiator SPI : B537105995B57695 - Responder SPI : 65C53893C7ED92A9 Message id: 337
(27628): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (27628): Next payload: ENCR, version: 2.0 (27628): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (27628): Message id: 337, length: 88(27628):
Payload contents:
(27628):
(27628): Decrypted packet:(27628): Data: 88 bytes
IKEv2-PLAT-4: (27628): Decrypt success status returned via ipc 1
(27628): REAL Decrypted packet:(27628): Data: 0 bytes
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (27628): Processing ACK to informational exchange
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (27628): Processed response with message id 337, Requests can be sent from range 338 to 342
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (27628): Deleting negotiation context for my message ID: 0x151
04-10-2019 07:18 PM
04-10-2019 07:17 PM
01-25-2023 06:04 PM
What was the fix here ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide