03-23-2020 06:25 AM
Hello, I am configuring a new tunnel between a Cisco ASA and Azure but phase2 is not establised (whil hase 1 is UP-IDLE):
B25FW0101# show crypto ipsec sa
There are no ipsec sas
When I ran a debug I got the following output:
B25FW0101# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.23, sport=12032, daddr=10.0.0.1, dport=12032
IPSEC(crypto_map_check)-5: Checking crypto map outside_map0 1: skipping because 5-tuple does not match ACL outside_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map0 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.23, sport=12032, daddr=10.0.0.1, dport=12032
IPSEC(crypto_map_check)-5: Checking crypto map outside_map0 1: skipping because 5-tuple does not match ACL outside_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map0 2: matched.
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x14FF7141
IPSEC: New embryonic SA created @ 0x00007f9264d41fd0,
SCB: 0x64E5D6E0,
Direction: inbound
SPI : 0xEAE0BA96
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x14FFB6E7
IPSEC: New embryonic SA created @ 0x00007f9264e81a80,
SCB: 0x64DBDEC0,
Direction: inbound
SPI : 0xC19BF426
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x15002427
IPSEC: New embryonic SA created @ 0x00007f9264e78f10,
SCB: 0x64D3C1B0,
Direction: inbound
SPI : 0x2CA0458C
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1500F6D5
IPSEC: New embryonic SA created @ 0x00007f9264dbc690,
SCB: 0x64D8EC60,
Direction: inbound
SPI : 0x2CFBC38C
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1501607D
IPSEC: New embryonic SA created @ 0x00007f9264d96330,
SCB: 0x64DBCDA0,
Direction: inbound
SPI : 0x14F7A00D
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1501DB73
IPSEC: New embryonic SA created @ 0x00007f9264e98670,
SCB: 0x64EC90D0,
Direction: inbound
SPI : 0x455F1193
Session ID: 0x0F2D0000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xC5EC8DD7)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x595F4D98)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3BF7D131)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x67351F30)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xD7B0C29E)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xA83BA418)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xEAE0BA96)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0xEAE0BA96
IPSEC DEBUG: Inbound SA (SPI 0xEAE0BA96) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0xEAE0BA96) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x14FF7141
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0xEAE0BA96) free completed
IPSEC DEBUG: Inbound SA (SPI 0xEAE0BA96) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xC19BF426)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0xC19BF426
IPSEC DEBUG: Inbound SA (SPI 0xC19BF426) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0xC19BF426) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x14FFB6E7
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0xC19BF426) free completed
IPSEC DEBUG: Inbound SA (SPI 0xC19BF426) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x2CA0458C)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x2CA0458C
IPSEC DEBUG: Inbound SA (SPI 0x2CA0458C) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x2CA0458C) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x15002427
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x2CA0458C) free completed
IPSEC DEBUG: Inbound SA (SPI 0x2CA0458C) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x2CFBC38C)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x2CFBC38C
IPSEC DEBUG: Inbound SA (SPI 0x2CFBC38C) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x2CFBC38C) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1500F6D5
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x2CFBC38C) free completed
IPSEC DEBUG: Inbound SA (SPI 0x2CFBC38C) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x14F7A00D)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x14F7A00D
IPSEC DEBUG: Inbound SA (SPI 0x14F7A00D) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x14F7A00D) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1501607D
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x14F7A00D) free completed
IPSEC DEBUG: Inbound SA (SPI 0x14F7A00D) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x455F1193)
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x455F1193
IPSEC DEBUG: Inbound SA (SPI 0x455F1193) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x455F1193) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x1501DB73
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x455F1193) free completed
IPSEC DEBUG: Inbound SA (SPI 0x455F1193) destroy completed
Any idea about what could be happening? Thank you.
03-24-2020 12:47 PM
Hi,
Follow this guide in order to confirm you have a functional config. Alternatively, you may use the VTI implementation. If you followed the guide and still does not work. Ensure that your ACL which defines the encryption domain (crypto ACL), is properly defined on both sides, i see some misses and some matches:
IPSEC(crypto_map_check)-5: Checking crypto map outside_map0 1: skipping because 5-tuple does not match ACL outside_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map0 2: matched.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide