Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1800
Views
0
Helpful
2
Replies

Error when attempting to establish an vpn tunnel from cisco 892 router to palo alto device

jomo frank
Level 1
Level 1

‎04-17-2021 02:00 PM

Hello expert, 

below is results of cypto debug

can you provide some guildance  how to fix this issue

 

AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Mar 13 01:09:58.965: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Mar 13 01:09:58.965: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2325957854'
*Mar 13 01:09:58.965: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Mar 13 01:09:58.965: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Mar 13 01:09:58.965: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Mar 13 01:09:58.965: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 181.199.253.181:500/From 190.80.24.247:500/VRF i0:f0]
Initiator SPI : CE3409DC1023875D - Responder SPI : 37C2A53BA4F7D585 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Mar 13 01:09:58.965: IKEv2:(SESSION ID = 29,SA ID = 1):Completed SA init exchange
*Mar 13 01:09:58.965: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 181.199.253.181:4500/To 190.80.24.247:500/VRF i0:f0]
Initiator SPI : CE3409DC1023875D - Responder SPI : 37C2A53BA4F7D585 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr

*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Checking NAT discovery
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):NAT OUTSIDE found
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Searching policy based on peer's identity '192.168.90.2' of type 'IPv4 address'
*Mar 13 01:09:58.981: IKEv2-ERROR:% IKEv2 profile not found
*Mar 13 01:09:58.981: IKEv2-ERROR:(SESSION ID = 29,SA ID = 1):: Failed to locate an item in the database
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Verification of peer's authentication data FAILED
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Sending authentication failure notify
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 181.199.253.181:4500/From 190.80.24.247:4500/VRF i0:f0]
Initiator SPI : CE3409DC1023875D - Responder SPI : 37C2A53BA4F7D585 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Auth exchange failed
*Mar 13 01:09:58.981: IKEv2-ERROR:(SESSION ID = 29,SA ID = 1):: Auth exchange failed
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Abort exchange
*Mar 13 01:09:58.981: IKEv2:(SESSION ID = 29,SA ID = 1):Deleting SA

*Mar 13 01:10:03.257: IKEv2:Received Packet [From 181.199.253.181:500/To 190.80.24.247:500/VRF i0:f0]
Initiator SPI : 4593D10DF0031DDE - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):Verify SA init message
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):Insert SA
*Mar 13 01:10:03.257: IKEv2:Searching Policy with fvrf 0, local address 190.80.24.247
*Mar 13 01:10:03.257: IKEv2:Found Policy 'RBGL_BOG_POLICY'
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):Processing IKE_SA_INIT message
*Mar 13 01:10:03.257: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Mar 13 01:10:03.257: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2325957854'
*Mar 13 01:10:03.257: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):not a VPN-SIP session
*Mar 13 01:10:03.257: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Mar 13 01:10:03.257: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Mar 13 01:10:03.257: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):Request queued for computation of DH key
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Mar 13 01:10:03.257: IKEv2:(SESSION ID = 30,SA ID = 1):Request queued for computation of DH secret
*Mar 13 01:10:03.269: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Mar 13 01:10:03.269: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Mar 13 01:10:03.269: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Mar 13 01:10:03.269: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Mar 13 01:10:03.273: IKEv2:(SESSION ID = 30,SA ID = 1):Generating IKE_SA_INIT message
*Mar 13 01:10:03.273: IKEv2:(SESSION ID = 30,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Mar 13 01:10:03.273: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Mar 13 01:10:03.273: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2325957854'
*Mar 13 01:10:03.273: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Mar 13 01:10:03.273: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Mar 13 01:10:03.273: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Mar 13 01:10:03.273: IKEv2:(SESSION ID = 30,SA ID = 1):Sending Packet [To 181.199.253.181:500/From 190.80.24.247:500/VRF i0:f0]
Initiator SPI : 4593D10DF0031DDE - Responder SPI : 8C5BBD1208B6B267 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Mar 13 01:10:03.273: IKEv2:(SESSION ID = 30,SA ID = 1):Completed SA init exchange
*Mar 13 01:10:03.273: IKEv2:(SESSION ID = 30,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Received Packet [From 181.199.253.181:4500/To 190.80.24.247:500/VRF i0:f0]
Initiator SPI : 4593D10DF0031DDE - Responder SPI : 8C5BBD1208B6B267 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr

*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Stopping timer to wait for auth message
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Checking NAT discovery
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):NAT OUTSIDE found
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Searching policy based on peer's identity '192.168.90.2' of type 'IPv4 address'
*Mar 13 01:10:03.289: IKEv2-ERROR:% IKEv2 profile not found
*Mar 13 01:10:03.289: IKEv2-ERROR:(SESSION ID = 30,SA ID = 1):: Failed to locate an item in the database
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Verification of peer's authentication data FAILED
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Sending authentication failure notify
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Sending Packet [To 181.199.253.181:4500/From 190.80.72.149:4500/VRF i0:f0]
Initiator SPI : 4593D10DF0031DDE - Responder SPI : 8C5BBD1208B6B267 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Auth exchange failed
*Mar 13 01:10:03.289: IKEv2-ERROR:(SESSION ID = 30,SA ID = 1):: Auth exchange failed
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Abort exchange
*Mar 13 01:10:03.289: IKEv2:(SESSION ID = 30,SA ID = 1):Deleting SA
Bog#
Bog#sh run
Building configuration...


Current configuration : 4913 bytes

Regards

 

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎04-17-2021 09:04 PM

Hi

 

There’s an authentication failure.

Can you share the config on both sides or can you validate the authentication on the Cisco and Palo Alto?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

miraziz
Level 1
Level 1

‎05-07-2023 11:16 PM

Hello truth seekers fellows!
i have the similar logs...

 

#sh crypt ikev2 diagnose

 

Error(8789): Failed to retrieve issuer public key hash list

same TP-self_signed certificate... 
any one ?

0 Helpful
Customers Also Viewed These Support Documents