Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
0
Replies

Need help with VPN Peer not working

roy_cohen@hotmail.com
Level 1
Level 1

‎11-11-2017 01:24 AM - edited ‎02-21-2020 06:43 AM

Hello

 

Completely new to this so please excuse my very novice questions and understanding (that's why I'm here probably...)

 

We have a VPN established with a vendor and three peers. One of the peers is working and the other two aren't

 

The response I received from the vendor on the failing peer is this and I need help (a step by step would be great) to debug this on our Cisco ASA 5525X device.

 

 

Thanks for the time on the phone earlier to explain the issue further. As I said on the phone, my theory was that there was an issue with Phase 2 for the two subnets with issues: x.x.x.x./22 and y.y.y.y/23. Looking deeper at the IKE logs in the traces on the gateway confirms this. 


For the Quick Mode SA (Phase 2) for both subnets, I see that we get an expire notification and we work to do a QM rekey. However, in that rekey, I see the following error message in both cases:

 

//Expire Notification for the QM SA

26 [0]0340.0620::11/10/2017-19:34:23.186 [ikeext] 0|81.145.238.131|Received expire notification

//We go ahead and delete the QM SA and send the Delete for the QMSA:

39 [0]0340.048C::11/10/2017-19:34:23.186 [ikeext] 36|81.145.238.131|QM done. Cleaning up qmSa 000000506B535430.  Error 13895(ERROR_IPSEC_IKE_QM_EXPIRED)

46 [0]0340.048C::11/10/2017-19:34:23.186 [ikeext] 36|81.145.238.131|Sending Oak Delete MMSA 000000506B52E2B0, QMSA 000000506B535430

51 [0]0340.048C::11/10/2017-19:34:23.186 [ikeext] 36|81.145.238.131|Sending Packet

59 [0]0340.048C::11/10/2017-19:34:23.186 [ikeext] 36|81.145.238.131|Deleting QM.  MM: 000000506B52E2B0 QM: 000000506B535430

 

//We then receive a packet from on-prem and start creating the QM SA

63 [0]0340.0BA0::11/10/2017-19:35:09.433 [ikeext] 0|81.145.238.131|Received packet

71 [0]0340.0BA0::11/10/2017-19:35:09.433 [ikeext] 36|81.145.238.131|Create QMSA: qmSA 000000506B535430 messId 769eee79

 

//We send and receive another packet:

116 [0]0340.0BA0::11/10/2017-19:35:09.434 [ikeext] 36|81.145.238.131|Sending Packet

127 [0]0340.0BA0::11/10/2017-19:35:09.445 [ikeext] 0|81.145.238.131|Received packet

 

// That’s when I see the following error:

157 [0]0340.0BA0::11/10/2017-19:35:09.446 [ikeext] 36|81.145.238.131|Tunnel QM policy does not allow key notify 000000506B535430

158 [0]0340.0BA0::11/10/2017-19:35:09.446 [ikeext] 36|81.145.238.131|Pruning the QM SA 000000506B535430

 

We then end up deleting the newly created QM SA and the cycle begins again.

 

The reason we don’t see any traffic for x.x.x.x/22 is because we never establish a tunnel long enough for traffic to make it to the Gateway in Azure. Therefore, my logs show none of the traffic from either side hitting the gateway for any reason.

 

My recommendation going forward is to get Cisco involved to look through the IKE logs on the ASA and verify that you are as up to date as possible. We’d be happy to collaborate with Cisco in continuing the investigation, but at this point I am only able to see one half of the IKE conversation and it’s not enough to pinpoint where the issue truly lies.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card