Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
0
Helpful
6
Replies

IPsec IKEv2 on ASA5510. Auth_Method doesn't match?

pl03119481
Level 1
Level 1

‎07-02-2019 12:36 PM - edited ‎02-21-2020 09:41 PM

Hello all,

 

I have a Cisco ASA 5510 which I try to connect to SherWeb Performance Cloud.

The tunnel did go up and stayed for a day. But through the weekend something happened and it is down.

I've run the debug commands, loggings as well as packet-tracer command. I'll skip posting the original content just to keep this short. Below are my observations:

 

  • Both logging and debug points to key exchange failure/authentication failure. But I've made absolutely sure that the PSKs are matching since I made them really simple.
  • Packet-tracer returned with ACL-blocked result.
  • Under crypto debug ikev2 platform 255, I found that your_auth_method = 2 and supported_peer_auth_method = 11. However, no matter what parameter I change, I still can't get them matched. I wonder which one of them is PSK?
Labels:
0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎07-02-2019 07:33 PM

are you sure that both local and remote authentication at both sides is psk. You might have one of them at either peer set to certificate authentication. ACL showing blocked is normal because the IPSec SA isn't up.
0 Helpful

pl03119481
Level 1
Level 1
In response to Mohammed al Baqari

‎07-02-2019 07:42 PM

I do not have control over the other side. However, on my ASA5510, for ikev2 only there is no option of choosing a specific authentication method. But I only input PSKs and left certificate blank. Thus it should work (That's also what I see from sample debug messages using PSKs)

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to pl03119481

‎07-02-2019 08:26 PM

what about your dh groups. Are they the same. ?
0 Helpful

pl03119481
Level 1
Level 1
In response to Mohammed al Baqari

‎07-03-2019 05:20 AM

Yes, they are as I have a success example right beside me. Despite the tunnel I'm currently trying to build between ASA5510 and SherWeb Performance Cloud, I have an up tunnel between Fortigate 200D and SherWeb Performance Cloud as an example. So I would hardly say that there are config differences, which confuses me even more why the current tunnel is failing.

That being said, Fortigate products indicate phase 1 and phase 2 DH group in a clearer manner than Cisco. Maybe I did set the DH group wrong? How do I match the policy DH group / PFS DH group and phase 1/2 groups?

 

Thank you so much for answering.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to pl03119481

‎07-03-2019 10:00 PM

For DH P1

crypto ikev2 policy 10

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

For PFS P2

crypto map outside_map 6 set pfs group2
0 Helpful

pl03119481
Level 1
Level 1
In response to Mohammed al Baqari

‎07-03-2019 07:02 PM

Here's some update.

 

Since the debugger mainly returns error on the auth_exchange stage, I decided to re-do the config and refresh the interface and see what changes, and here comes the really strange result.

 

I had the tunnel session established successfully, with the exact same config (meaning the config isn't wrong). But when it is up, the nat exempt isn't working. (It wasn't configured first). When I added the nat exempt command, somehow ACL decides to skip the packet and let it drop by implicit deny.

 

I've confirmed multiple + multiple times that the nat and ACL configurations are pointing the correct interfaces and subnets.

 

I also learned that the Cisco ASA is really slow on resetting the tunnel session? I basically had to clear the crypto map command and re-configure to reset the session (including these non-expired packets)

 

This is getting out of control. : ((

0 Helpful
Customers Also Viewed These Support Documents