Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
7022
Views
50
Helpful
17
Replies

IPSEC tunnel Issues

CiscoPurpleBelt
Level 6
Level 6

ā€Ž04-10-2019 08:25 AM - edited ā€Ž02-21-2020 09:01 AM

Have an ISPEC tunnel between an ASA and Router that will go down periodically and not be able to be brought back up and/or both sites can't reach each other unless the SAs are manually renegotiated on my end. Below is debug for platform/protocol 127 (changed IPs for security).

I am also looking for good docs in regards to reading IPSEC debugs or logs in general to be more familiar with the IPSEC commication process.

 

# IKEv2-PROTO-7: (27628): Timer expired, Sending DPD

IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-7: (27628): Action: Action_Null
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-4: (27628): Sending DPD/liveness query
IKEv2-PROTO-4: (27628): Building packet for encryption.
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PLAT-4: (27628): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (27628): Action: Action_Null
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (27628): Checking if request will fit in peer window
(27628):
IKEv2-PROTO-4: (27628): Sending Packet [To 100.1.1.1:500/From 200.1.1.1:500/VRF i0:f0]
(27628): Initiator SPI : B537105995B57695 - Responder SPI : 65C53893C7ED92A9 Message id: 337
(27628): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (27628): Next payload: ENCR, version: 2.0 (27628): Exchange type: INFORMATIONAL, flags: INITIATOR (27628): Message id: 337, length: 88(27628):
Payload contents:
(27628): ENCR(27628): Next payload: NONE, reserved: 0x0, length: 60
(27628): Encrypted data: 56 bytes
(27628):
IKEv2-PLAT-5: (27628): SENT PKT [INFORMATIONAL] [200.1.1.1]:500->[100.1.1.1]:500 InitSPI=0xb537105995b57695 RespSPI=0x65c53893c7ed92a9 MID=00000151
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(27628):
IKEv2-PROTO-4: (27628): Received Packet [From 100.1.1.1:500/To 200.1.1.1:500/VRF i0:f0]
(27628): Initiator SPI : B537105995B57695 - Responder SPI : 65C53893C7ED92A9 Message id: 337
(27628): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (27628): Next payload: ENCR, version: 2.0 (27628): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (27628): Message id: 337, length: 88(27628):
Payload contents:
(27628):
(27628): Decrypted packet:(27628): Data: 88 bytes
IKEv2-PLAT-4: (27628): Decrypt success status returned via ipc 1
(27628): REAL Decrypted packet:(27628): Data: 0 bytes
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (27628): Processing ACK to informational exchange
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (27628): Processed response with message id 337, Requests can be sent from range 338 to 342
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (27628): SM Trace-> SA: I_SPI=B537105995B57695 R_SPI=65C53893C7ED92A9 (I) MsgID = 00000151 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (27628): Deleting negotiation context for my message ID: 0x151

 

0 Helpful
17 Replies 17

CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

ā€Ž04-10-2019 07:18 PM

Ok I will do that when possible and get back to you.
0 Helpful

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

ā€Ž04-10-2019 07:17 PM

Yes it sent it but perhaps I am overlooking but nothing shows up when doing show run | grep keep or similar type searches. I will double check.

Third party has never tried. Help desk typically calls me and I bring it up. I will have to try and check to see if it is configured for respond/answer only. Not sure about the config so I have to look it up I guess.
0 Helpful

MSJ1
Level 1
Level 1
In response to CiscoPurpleBelt

ā€Ž01-25-2023 06:04 PM

What was the fix here  ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card