Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8725
Views
5
Helpful
5
Replies

site 2 site vpn is terminated

Go to solution
nika.benashvili
Level 1
Level 1

‎08-19-2019 10:06 AM - edited ‎02-21-2020 09:43 PM

Hello,

 

We have ASA, which had 2 tunnels to different data centers.

Before they were working OK, but after I changed the trustpoint and certificate, one of the tunnel is not coming up.

I only changed the certificate, with the same CA other sites are working fine.

I tried to debug and it seems that it terminates process by itself:

 

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.64.23.132, sport=57631, daddr=10.11.8.21, dport=57631
IPSEC(crypto_map_check)-5: Checking crypto map RA_CRYPTO_MAP 10: skipping because 5-tuple does not match ACL DC1.
IPSEC(crypto_map_check)-3: Checking crypto map RA_CRYPTO_MAP 20: matched.
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 10 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x54E3620D
IPSEC: New embryonic SA created @ 0x00007fa06bb2f7a0,
SCB: 0x68AF9EB0,
Direction: inbound
SPI : 0x67D0EF69
Session ID: 0x0E837000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC INFO: IPSec SA Purge timer expired SPI 0x54E3620D
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x67D0EF69
IPSEC DEBUG: Inbound SA (SPI 0x67D0EF69) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x67D0EF69) free started, state embryonic
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 5 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x54E3620D
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x67D0EF69) free completed
IPSEC DEBUG: Inbound SA (SPI 0x67D0EF69) destroy completed

 

 

This is the running config:

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal TSET_IKEV2
protocol esp encryption aes-gcm-256
protocol esp integrity null
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYNAMIC_CRYPTO_MAP 65535 set pfs
crypto dynamic-map DYNAMIC_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA
crypto map RA_CRYPTO_MAP 10 match address DC1
crypto map RA_CRYPTO_MAP 10 set pfs group5
crypto map RA_CRYPTO_MAP 10 set peer 1x.1x.2x.1x
crypto map RA_CRYPTO_MAP 10 set ikev2 ipsec-proposal TSET_IKEV2
crypto map RA_CRYPTO_MAP 10 set trustpoint XXXX
crypto map RA_CRYPTO_MAP 20 match address DC2
crypto map RA_CRYPTO_MAP 20 set pfs group5
crypto map RA_CRYPTO_MAP 20 set peer 4x.2x.1x.1x
crypto map RA_CRYPTO_MAP 20 set ikev2 ipsec-proposal TSET_IKEV2
crypto map RA_CRYPTO_MAP 20 set trustpoint XXXX
crypto map RA_CRYPTO_MAP 65535 ipsec-isakmp dynamic DYNAMIC_CRYPTO_MAP
crypto map RA_CRYPTO_MAP interface outside
crypto ca trustpoint Mikenopa
enrollment protocol scep url http://crl.XXX.com:80/scep/scep
fqdn xxx
subject-name CN=xxx
crl configure
crypto ca trustpool policy
crypto ca certificate chain XXX
certificate 26ff3eb0a496cf5976ea
3082071f 30820507 a0030201 02020a26 ff3eb0a4 96cf5976 ea300d06 092a8648
86f70d01 010xxxd
901b5c
quit
certificate ca 1000
308205fb 308203e3 a0030201 02020210 00300d06 092a8648 86f70d01 010b0500
30819031 0b30090xxxx
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-gcm-256 aes-gcm-192
integrity null
group 20
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400

 

 

 

 

The access list is ok, it shows drop at crypto domain, but as I know it's normal as the tunnel isn't istablished yet.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to nika.benashvili

‎08-21-2019 04:50 PM

Looks like the is sending the IKE_AUTH message with the cert and re-transmitting this till the SA dies.

 

IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-2: (88): Check for EAP exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88): 
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0] 
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88): 
Payload contents: 
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88): 
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet

One possible reason could be an increase in size of certificate causing a fragmentation of the outbound packet. Any chance of getting simultaneous debugs from both sides? 

View solution in original post

5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-20-2019 07:28 AM

Can you get the full output of "debug crypto ikev1 127" and "debug crypto ipsec 127" from the ASA when the tunnel is establishing? 

0 Helpful

Go to solution
nika.benashvili
Level 1
Level 1
In response to Rahul Govindan

‎08-20-2019 07:42 AM

Hello, thanks for reply,

 

As these debug commands are not available on this version on ASA, I made these debugs:

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

debug crypto ipsec 127

 

 and then clear crypto ipsec sa.

the output is the next:

 

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.64.23.132, sport=47937, daddr=10.11.8.21, dport=47937
IPSEC(crypto_map_check)-3: Checking crypto map RA_CRYPTO_MAP 20: matched.
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.64.23.132, sport=47937, daddr=10.11.8.21, dport=47937
IPSEC(crypto_map_check)-3: Checking crypto map RA_CRYPTO_MAP 20: matched.
IKEv2-PLAT-2: Using trust point from crypto map RA_CRYPTO_MAP 20: Mikenopa
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 1
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 10 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x012052E9
IPSEC: New embryonic SA created @ 0x00007f03492d2680,
SCB: 0x489909D0,
Direction: inbound
SPI : 0x992810FF
Session ID: 0x03C67000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x992810FF, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to: Mikenopa
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-5: (88): Setting configured policies
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
IKEv2-PROTO-5: (88): Opening a PKI session
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-2: (88): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20
IKEv2-PROTO-2: (88): Request queued for computation of DH key
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (88): Action: Action_Null
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (88): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (88): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 6
(88): AES-GCM(88): AES-GCM(88): SHA512(88): SHA384(88): SHA256(88): DH_GROUP_384_ECP/Group 20IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATION(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : 0000000000000000 Message id: 0
(88): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: SA, version: 2.0 (88): Exchange type: IKE_SA_INIT, flags: INITIATOR (88): Message id: 0, length: 434(88):
Payload contents:
(88): SA(88): Next payload: KE, reserved: 0x0, length: 68
(88): last proposal: 0x0, reserved: 0x0, length: 64
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 6(88): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
(88): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
(88): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(88): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(88): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(88): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(88): KE(88): Next payload: N, reserved: 0x0, length: 104
(88): DH group: 20, Reserved: 0x0
(88):
(88): d4 27 a7 ba 5e f5 b4 eb ea 4a 72 af 23 4d 18 50
(88): ab a1 a2 54 ba 68 7f 95 63 b7 06 9a c4 ac 15 fb
(88): ea 22 50 fe 62 04 e0 aa 8f f2 74 59 05 1f 27 ae
(88): b1 96 6a 6f cd 11 96 61 2e b8 1e 1c 75 fb 09 f0
(88): 4c 43 9c 23 67 36 18 da d0 20 ea 12 53 f4 98 27
(88): 41 fd 08 62 4f c4 1f 96 0e 03 89 23 32 82 10 de
(88): N(88): Next payload: VID, reserved: 0x0, length: 68
(88):
(88): 06 9c 89 c1 5b b0 bf 58 66 d6 4f ca b1 33 9f 4f
(88): 63 c3 8d 1c c2 d6 f1 c7 96 38 5c 21 77 30 4c 79
(88): bd 9c b6 88 3d 15 2c b3 c6 6a 63 1f 5e c0 08 e9
(88): df 9d 19 f2 d2 6b 10 7c a9 a9 33 be 01 b4 bd 22
(88): VID(88): Next payload: VID, reserved: 0x0, length: 23
(88):
(88): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(88): 53 4f 4e
(88): VID(88): Next payload: NOTIFY, reserved: 0x0, length: 59
(88):
(88): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(88): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(88): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(88): 73 2c 20 49 6e 63 2e
(88): NOTIFY(NAT_DETECTION_SOURCE_IP)(88): Next payload: NOTIFY, reserved: 0x0, length: 28
(88): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(88):
(88): b8 28 b2 b4 de 1b 9f 92 49 62 41 b3 95 7e 70 92
(88): 29 f3 9a 2e
(88): NOTIFY(NAT_DETECTION_DESTINATION_IP)(88): Next payload: NOTIFY, reserved: 0x0, length: 28
(88): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(88):
(88): 57 23 63 1a 72 66 c6 b2 52 9b d2 b7 37 ec 8f 89
(88): 2d 54 4f 4b
(88): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(88): Next payload: VID, reserved: 0x0, length: 8
(88): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(88): VID(88): Next payload: NONE, reserved: 0x0, length: 20
(88):
(88): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_SA_INIT] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-2: (88): Insert SA
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [REMOTE_PEER_IP]:500->[My_ASA_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000000
(88):
IKEv2-PROTO-2: (88): Received Packet [From REMOTE_PEER_IP:500/To My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 0
(88): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-3: (88): Next payload: SA, version: 2.0 (88): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (88): Message id: 0, length: 400(88):
Payload contents:
(88): SA(88): Next payload: KE, reserved: 0x0, length: 40
(88): last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 3(88): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
(88): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(88): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(88): KE(88): Next payload: N, reserved: 0x0, length: 104
(88): DH group: 20, Reserved: 0x0
(88):
(88): 0a 35 fa 86 ed 07 22 ff 61 19 d6 83 f7 44 18 af
(88): 8a d0 1e dd cc 8e d9 dd e2 38 bc 15 43 77 01 49
(88): 3b 41 e2 2e e6 74 2a c0 57 8d 01 0b 1d 6d 76 b7
(88): c6 f1 dd e5 fe a5 da f0 6e ec 63 ec dc 11 42 ef
(88): fd 17 5f d4 7c 69 c6 81 b6 97 c1 c3 f1 16 7c a9
(88): 5c 8f 7c cb 17 00 07 7f 60 6f 85 e3 0c 67 11 b2
(88): N(88): Next payload: VID, reserved: 0x0, length: 24
(88):
(88): ac e5 30 d5 ea 57 5a 27 e5 a7 3e 34 2e b9 d0 ca
(88): d8 c5 37 6c
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON(88): VID(88): Next payload: VID, reserved: 0x0, length: 23
(88):
(88): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(88): 53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM)(88): VID(88): Next payload: VID, reserved: 0x0, length: 59
(88):
(88): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(88): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(88): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(88): 73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM)(88): VID(88): Next payload: NOTIFY, reserved: 0x0, length: 21
(88):
(88): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(88): 44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP(88): NOTIFY(NAT_DETECTION_SOURCE_IP)(88): Next payload: NOTIFY, reserved: 0x0, length: 28
(88): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(88):
(88): dc 40 6c 6c 40 c5 69 a0 12 cb 1b 25 b4 e4 1d f4
(88): d0 8c 6b c4
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP(88): NOTIFY(NAT_DETECTION_DESTINATION_IP)(88): Next payload: CERTREQ, reserved: 0x0, length: 28
(88): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(88):
(88): 91 b9 a4 96 04 d2 71 d0 1c 76 58 1b 58 23 9e 29
(88): a9 da 7a 86
(88): CERTREQ(88): Next payload: NONE, reserved: 0x0, length: 45
(88): Cert encoding X.509 Certificate - signature
(88): CertReq data: 40 bytes
(88):
(88): Decrypted packet:(88): Data: 400 bytes
IKEv2-PLAT-2: Process custom VID payloads
IKEv2-PLAT-2: Cisco Copyright VID received from peer
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (88): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (88): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-2: (88): Verify SA init message
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (88): Processing IKE_SA_INIT message
IKEv2-PLAT-2: (88): my auth method set to: 1
IKEv2-PROTO-5: (88): Matching certificate found
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-5: (88): Process NAT discovery notify
IKEv2-PROTO-5: (88): Processing nat detect src notify
IKEv2-PROTO-5: (88): Remote address matched
IKEv2-PROTO-5: (88): Processing nat detect dst notify
IKEv2-PROTO-5: (88): Local address matched
IKEv2-PROTO-5: (88): No NAT found
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-2: (88): Checking NAT discovery
IKEv2-PROTO-2: (88): NAT not found
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-2: (88): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
IKEv2-PROTO-2: (88): Request queued for computation of DH secret
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (88): Action: Action_Null
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-5: (88): Generate skeyid
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-5: (88): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-2: (88): Completed SA init exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-2: (88): Check for EAP exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-2: (88): Generate my authentication data
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-2: (88): Get my authentication method
IKEv2-PROTO-2: (88): My authentication method is 'RSA'
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SIGN
IKEv2-PROTO-2: (88): Sign authentication data
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-2: (88): Check for EAP exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (88): Generating IKE_AUTH message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-2: (88): Constructing IDi payload: 'cn=DUBALFW01-00-MDF0A.mikenopa.com,dc=Mikenopa,dc=com' of type 'DER ASN1 DN'
Adding trusted issuer hash to send. Hash:
d4 0a 18 2e ea e2 93 51 0f 11 98 fc 3a 1e 14 cc
b3 b8 be 0b
IKEv2-PROTO-2: (88): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(88): AES-GCM(88): None(88): Don't use ESNIKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-2: (88): Building packet for encryption.
(88):
Payload contents:
(88): VID(88): Next payload: IDi, reserved: 0x0, length: 20
(88):
(88): 71 e0 1d cd c6 31 63 8a 41 ce f7 87 c2 07 0e d8
(88): IDi(88): Next payload: CERT, reserved: 0x0, length: 99
(88): Id type: DER ASN1 DN, Reserved: 0x0 0x0
(88):
(88): 30 59 31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64
(88): 01 19 16 03 63 6f 6d 31 18 30 16 06 0a 09 92 26
(88): 89 93 f2 2c 64 01 19 16 08 4d 69 6b 65 6e 6f 70
(88): 61 31 28 30 26 06 03 55 04 03 0c 1f 44 55 42 41
(88): 4c 46 57 30 31 2d 30 30 2d 4d 44 46 30 41 2e 6d
(88): 69 6b 65 6e 6f 70 61 2e 63 6f 6d
(88): CERT(88): Next payload: CERTREQ, reserved: 0x0, length: 1832
(88): Cert encoding X.509 Certificate - signature
(88): Cert data: 1827 bytes
(88): CERTREQ(88): Next payload: AUTH, reserved: 0x0, length: 25
(88): Cert encoding X.509 Certificate - signature
(88): CertReq data: 20 bytes
(88): AUTH(88): Next payload: SA, reserved: 0x0, length: 264
(88): Auth method RSA, reserved: 0x0, reserved 0x0
(88): Auth data: 256 bytes
(88): SA(88): Next payload: TSi, reserved: 0x0, length: 44
(88): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(88): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
(88): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: None
(88): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(88): TSi(88): Next payload: TSr, reserved: 0x0, length: 40
(88): Num of TSs: 2, reserved 0x0, reserved 0x0
(88): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(88): start port: 0, end port: 65535
(88): start addr: 10.64.23.132, end addr: 10.64.23.132
(88): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(88): start port: 0, end port: 65535
(88): start addr: 10.64.23.128, end addr: 10.64.23.255
(88): TSr(88): Next payload: NOTIFY, reserved: 0x0, length: 40
(88): Num of TSs: 2, reserved 0x0, reserved 0x0
(88): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(88): start port: 0, end port: 65535
(88): start addr: 10.11.8.21, end addr: 10.11.8.21
(88): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(88): start port: 0, end port: 65535
(88): start addr: 10.11.8.0, end addr: 10.11.8.255
(88): NOTIFY(INITIAL_CONTACT)(88): Next payload: NOTIFY, reserved: 0x0, length: 8
(88): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(88): NOTIFY(ESP_TFC_NO_SUPPORT)(88): Next payload: NOTIFY, reserved: 0x0, length: 8
(88): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(88): NOTIFY(NON_FIRST_FRAGS)(88): Next payload: NONE, reserved: 0x0, length: 8
(88): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-2: (88):
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PLAT-2: (88): Encrypt success status returned via ipc 1
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-5: (88): Action: Action_Null
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-2: (88): Check for EAP exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IPSEC INFO: IPSec SA Purge timer expired SPI 0x012052E9
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x992810FF
IPSEC DEBUG: Inbound SA (SPI 0x992810FF) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x992810FF) free started, state embryonic
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 5 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x012052E9
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x992810FF) free completed
IPSEC DEBUG: Inbound SA (SPI 0x992810FF) destroy completed
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.64.23.132, sport=49473, daddr=10.11.7.70, dport=49473
IPSEC(crypto_map_check)-3: Checking crypto map RA_CRYPTO_MAP 20: matched.
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.64.23.132, sport=49473, daddr=10.11.7.70, dport=49473
IPSEC(crypto_map_check)-3: Checking crypto map RA_CRYPTO_MAP 20: matched.
IKEv2-PLAT-2: Using trust point from crypto map RA_CRYPTO_MAP 20: Mikenopa
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 1
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 10 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x01217B6F
IPSEC: New embryonic SA created @ 0x00007f03492d2680,
SCB: 0x48DD04C0,
Direction: inbound
SPI : 0x55BF1AF1
Session ID: 0x015C4000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x55BF1AF1, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to: Mikenopa
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PROTO-2: SA is already in negotiation, hence not negotiating again
IKEv2-PLAT-2: (87): PSH cleanup
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x55BF1AF1)
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IPSEC DEBUG: Migrated SA is deleted, Deleting the Backup SPI entry 0x55BF1AF1
IPSEC DEBUG: Inbound SA (SPI 0x55BF1AF1) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x55BF1AF1) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 5 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x01217B6F
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x55BF1AF1) free completed
IPSEC DEBUG: Inbound SA (SPI 0x55BF1AF1) destroy completed
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x55BF1AF1 error FALSE
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88):
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0]
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88):
Payload contents:
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88):
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
undebug all

 

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to nika.benashvili

‎08-21-2019 04:50 PM

Looks like the is sending the IKE_AUTH message with the cert and re-transmitting this till the SA dies.

 

IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-2: (88): Check for EAP exchange
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet
(88): 
IKEv2-PROTO-2: (88): Sending Packet [To REMOTE_PEER_IP:500/From My_ASA_IP:500/VRF i0:f0] 
(88): Initiator SPI : 73E01CCDD50690CD - Responder SPI : D637074FDD003A45 Message id: 1
(88): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (88): Next payload: ENCR, version: 2.0 (88): Exchange type: IKE_AUTH, flags: INITIATOR (88): Message id: 1, length: 2445(88): 
Payload contents: 
(88): ENCR(88): Next payload: VID, reserved: 0x0, length: 2417
(88): Encrypted data: 2413 bytes
(88): 
IKEv2-PLAT-3: (88): SENT PKT [IKE_AUTH] [My_ASA_IP]:500->[REMOTE_PEER_IP]:500 InitSPI=0x73e01ccdd50690cd RespSPI=0xd637074fdd003a45 MID=00000001
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: (88): SM Trace-> SA: I_SPI=73E01CCDD50690CD R_SPI=D637074FDD003A45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (88): Retransmitting packet

One possible reason could be an increase in size of certificate causing a fragmentation of the outbound packet. Any chance of getting simultaneous debugs from both sides? 

Go to solution
nika.benashvili
Level 1
Level 1
In response to Rahul Govindan

‎08-23-2019 05:15 AM

hello,

 

thanks for the hint, fragmentation was disabled on both ends. we enabled it and now it works.

 

thank you.

0 Helpful

Go to solution
lnacional
Level 1
Level 1
In response to nika.benashvili

‎07-21-2021 10:31 AM

Hi, when you says Fragmentation you men, pre-fragmentation in the interface on the ASA???

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents