Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2003
Views
0
Helpful
4
Replies

Site to Site VPN with Palo Alto Networks FW

inigoed
Level 1
Level 1

‎07-22-2016 08:20 AM

Seeing this error on the debug for IPsec between a Cisco ASR 1001 and a Palo Alto Networks Firewall.

 Inbound/outbound installation failed, not sending DECR

Can anyone tell me what this error means?

Remote side is getting a deleting SA message.

Regards,

Ed

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-23-2016 06:55 AM

You'll need to post a more complete debug so we can see the context of the error.

0 Helpful

inigoed
Level 1
Level 1
In response to Philip D'Ath

‎07-24-2016 06:07 PM

Sorry for the lack of info ... I hope the following debug can shed some light 

(key eng. msg.) OUTBOUND local= 199.52.8.132:500, remote= 63.88.1.108:500,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 24 17:44:24.216 UTC: IPSEC(validate_proposal_request): proposal part #1
*Jul 24 17:44:24.216 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 24 17:44:24.216 UTC: Crypto mapdb : proxy_match
src addr : 10.143.68.0
dst addr : 10.145.241.80
protocol : 0
src port : 0
dst port : 0
*Jul 24 17:44:24.216 UTC: (ipsec_process_proposal)Map Accepted: CM_VPN_1, 245
*Jul 24 17:44:24.216 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 17:44:24.216 UTC: Crypto mapdb : proxy_match
src addr : 10.143.68.0
dst addr : 10.145.241.80
protocol : 256
src port : 0
dst port : 0
*Jul 24 17:44:24.216 UTC: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CM_VPN_1, 245
*Jul 24 17:44:24.216 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= 199.52.8.132, sa_proto= 50,
sa_spi= 0x95146119(2501140761),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 61
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:24.217 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= 63.88.1.108, sa_proto= 50,
sa_spi= 0xA2666A20(2724620832),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 62
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:24.217 UTC: IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed, not sending DECR
*Jul 24 17:44:24.217 UTC: IPSEC(update_current_outbound_sa): updated peer 63.88.1.108 current outbound sa to SPI 0
*Jul 24 17:44:24.217 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 199.52.8.132, sa_proto= 50,
sa_spi= 0x95146119(2501140761),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 61
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:24.217 UTC: IPSEC(delete_sa): SA found saving DEL kmi
*Jul 24 17:44:24.217 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 63.88.1.108, sa_proto= 50,
sa_spi= 0xA2666A20(2724620832),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 62
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:24.217 UTC: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Jul 24 17:44:27.219 UTC: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Jul 24 17:44:28.820 UTC: IPSEC:(SESSION ID = 189852) (key_engine) request timer fired: count = 1,
(identity) local= 199.52.8.132:0, remote= 69.73.247.178:0,
local_proxy= 199.52.8.132/255.255.255.255/47/0,
remote_proxy= 69.73.247.178/255.255.255.255/47/0
*Jul 24 17:44:28.820 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 199.52.8.132:500, remote= 69.73.247.178:500,
local_proxy= 199.52.8.132/255.255.255.255/47/0,
remote_proxy= 69.73.247.178/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 24 17:44:54.199 UTC: IPSEC:(SESSION ID = 189852) (key_engine) request timer fired: count = 1,
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:54.199 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 199.52.8.132:500, remote= 63.88.1.108:500,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 24 17:44:54.216 UTC: IPSEC(validate_proposal_request): proposal part #1
*Jul 24 17:44:54.216 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 24 17:44:54.216 UTC: Crypto mapdb : proxy_match
src addr : 10.143.68.0
dst addr : 10.145.241.80
protocol : 0
src port : 0
dst port : 0
*Jul 24 17:44:54.216 UTC: (ipsec_process_proposal)Map Accepted: CM_VPN_1, 245
*Jul 24 17:44:54.217 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 17:44:54.217 UTC: Crypto mapdb : proxy_match
src addr : 10.143.68.0
dst addr : 10.145.241.80
protocol : 256
src port : 0
dst port : 0
*Jul 24 17:44:54.217 UTC: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CM_VPN_1, 245
*Jul 24 17:44:54.217 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= 199.52.8.132, sa_proto= 50,
sa_spi= 0x674EB6B4(1733211828),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 63
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:54.217 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= 63.88.1.108, sa_proto= 50,
sa_spi= 0xCBB0DDFB(3417366011),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 64
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:54.217 UTC: IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed, not sending DECR
*Jul 24 17:44:54.218 UTC: IPSEC(update_current_outbound_sa): updated peer 63.88.1.108 current outbound sa to SPI 0
*Jul 24 17:44:54.218 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 199.52.8.132, sa_proto= 50,
sa_spi= 0x674EB6B4(1733211828),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 63
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:54.218 UTC: IPSEC(delete_sa): SA found saving DEL kmi
*Jul 24 17:44:54.218 UTC: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 63.88.1.108, sa_proto= 50,
sa_spi= 0xCBB0DDFB(3417366011),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 64
sa_lifetime(k/sec)= (4608000/28800),
(identity) local= 199.52.8.132:0, remote= 63.88.1.108:0,
local_proxy= 10.143.68.0/255.255.255.0/256/0,
remote_proxy= 10.145.241.80/255.255.255.240/256/0
*Jul 24 17:44:54.218 UTC: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to inigoed

‎07-24-2016 06:45 PM

I don't know this for a fact - but I think you are using a crypto combination not supported by your ASK 1k (could be related to software version or hardware).  I *think* this is why it is sending the delete request - because the actual negotiation was fine.

Specifically, I can see you are trying to use SHA256.  Check out this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn18426/?referring_site=bugquickviewredir

I would try upgrading to a new train - or try SHA1 to prove the theory.

0 Helpful

inigoed
Level 1
Level 1
In response to Philip D'Ath

‎07-24-2016 06:52 PM

THANKS for the quick reply.  Will give that a try.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents