Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
0
Helpful
1
Replies

IKEv1 tunnel establishes IKEv2 Fails

jamie.gleeson
Level 1
Level 1

‎06-20-2017 09:23 AM

I have been testing a tunnel between a ASA 5510 version 9.1(7)4 and a ASA 5525-X version 9.1(2).  The tunnel establishes with IKEv1 but I can not get it to work with IKEv2.  I have enclosed the debug crypto ikev2 platform 127 & debug crypto ikev2 protocol 127 output from the responding ASA below.

IKEv2-PROTO-2: Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f0]
Initiator SPI : 31160D39095EAEF7 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 530
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 132
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0

ab 9a 5e bc c6 4e cf f3 bf b4 a0 0a fd 0f 3d f3
f2 e0 29 77 fd 11 7b b9 5b df 9c 01 1c e6 a6 89
b2 49 1f 8a b6 a9 a7 16 7b 96 de 06 7b cb 15 55
ee a6 22 b3 5f 54 7d 43 d5 f5 c2 72 c8 c4 8a 07
7e bc 6f 16 61 7e 69 a7 95 12 e0 e9 64 93 62 6e
7b f5 72 6f e6 90 b5 4a e8 72 33 1e 5d 40 76 23
74 03 a6 a9 36 68 32 6e 04 5c 11 31 91 ac d4 55
64 ce 8b 7a ce da ef 09 0c ef 6c 2f 98 b5 6c 83
75 8f 14 e0 0d 6c 99 a6 c2 47 9c d0 b9 72 9b 5f
3f 20 6f 8e 39 df 72 a6 53 ec 5a c7 38 62 43 99
b8 c6 51 ca f3 d6 07 2b b7 dc 3d e7 63 02 6e cd
98 3e 19 be b9 7d 52 df 4b 92 79 9a f9 f7 44 a4
N Next payload: VID, reserved: 0x0, length: 68

63 9b 9a a8 2c f4 74 41 e4 b1 77 f9 47 54 84 de
ee cb bb 15 5c a1 be 84 ad 0a 27 41 19 00 89 a9
0e f9 24 c8 19 73 00 33 15 2e 41 eb 1e 6a 24 29
a9 20 02 56 94 ee 35 00 42 88 c4 1c 24 0c 29 ff
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23

43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: VID, reserved: 0x0, length: 59

43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: FRAGMENTATION VID Next payload: NONE, reserved: 0x0, length: 20

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

Decrypted packet:Data: 530 bytes
IKEv2-PROTO-1: Failed to allocate PSH from platform
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=31160D39095EAEF7 R_SPI=078F2147ED90BC87 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=31160D39095EAEF7 R_SPI=078F2147ED90BC87 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=31160D39095EAEF7 R_SPI=078F2147ED90BC87 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-1: Failed to decrement count for incoming negotiating
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=31160D39095EAEF7 R_SPI=078F2147ED90BC87 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PROTO-2: Abort exchange
IKEv2-PLAT-1: Invalid Parameters to create MIB fail entry.
IKEv2-PROTO-2: Deleting SA
IKEv2-PLAT-5: INVALID PSH HANDLE

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎06-20-2017 10:54 AM

Do you have a snippet of the ikev2 config on both sides? Also which ASA is the one showing the messages?

The debugs look ok upto the point where it says "Failed to allocate PSH from platform". This I have seen with Azure gateways using route based VPN's, which is not your case. 

I would also try removing the crypto map and re-applying it when moving from v1 to v2 during a downtime. There are a few issues in the past where stale entries stay on the ASA causing new tunnels to stop forming. 

0 Helpful
Customers Also Viewed These Support Documents