09-17-2020 08:25 AM - edited 09-17-2020 08:26 AM
Hi
My company uses an ASA 5505 firewall to create IPSEC VPN tunnel with another partner, the other patner company uses Huawei Firewall, the vpn tunnel works and the connection done, but some times the connection interrupted and there is no connectivity between the sites until the vpn tunnel rested using the command,
#clear crypto isakmp.
While there is a connection between the sites I used the command # debug crypto ikev2 protocol
this is the output
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4): Received Policies:
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4): Expected Policies:
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4):
IKEv2-PROTO-1: (4): Create child exchange failed
also my company have another ASA 5515 to use VPN tunnel from another site to the same partner and same Huawei Firewall the second tunnel works with out issues.
any ideas about this situation ???
Solved! Go to Solution.
09-17-2020 08:28 AM
Hi @Qays
Check the IPSec and ISAKMP lifetimes configured on the ASA 5505 are the same as configured the Huawei Firewall. Ensure you have Dead Peer Detection (DPD) configured as well.
HTH
09-17-2020 09:47 AM - edited 09-20-2020 03:23 AM
make sure you verify each side config, or post the configuration to understand the issue,
check more of IPSEC Proposal :
09-17-2020 08:28 AM
Hi @Qays
Check the IPSec and ISAKMP lifetimes configured on the ASA 5505 are the same as configured the Huawei Firewall. Ensure you have Dead Peer Detection (DPD) configured as well.
HTH
09-20-2020 02:02 AM - edited 09-20-2020 02:06 AM
Hi
Thanks for the answer,,,, I have checked the IPSec and ISAKMP lifetimes and the tunnel working better with out interruption until now,, also I still receive this debug from the same peer
This is the received debug
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 8
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 9
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 10
IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA96 DH_GROUP_1536_MODP/Group 5
ESP: Proposal 2: AES-CBC-256 MD596 DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21): Expected Policies:
IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21):
IKEv2-PROTO-1: (21): Create child exchange failed
IKEv2-PLAT-1: Failed to decrement count for incoming negotiating
this is the configuration
crypto ipsec ikev2 ipsec-proposal AES265-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map ###### match address #######
crypto map ###### set pfs group5
crypto map ###### set peer #######
crypto map ####### set ikev2 ipsec-proposal AES265-SHA1
crypto map ####### set security-association lifetime seconds 3600
crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400
09-20-2020 03:17 AM
Thanks for the answer,,,,
After I have checked the IPSec and ISAKMP lifetimes the tunnel works batter but I still receive this debug from the same peer.
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 8
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 9
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 10
IKEv2-PROTO-1: (12): Failed to find a matching policy
IKEv2-PROTO-1: (12): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA96 DH_GROUP_1536_MODP/Group 5
ESP: Proposal 2: AES-CBC-256 MD596 DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-1: (12): Failed to find a matching policy
IKEv2-PROTO-1: (12): Expected Policies:
IKEv2-PROTO-5: (12): Failed to verify the proposed policies
IKEv2-PROTO-1: (12): Failed to find a matching policy
IKEv2-PROTO-2: (21): Sending DPD/liveness query
IKEv2-PROTO-2: (21): Process delete request from peer
The configuration
crypto ipsec ikev2 ipsec-proposal AES265-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map ###### match address #######
crypto map ###### set pfs group5
crypto map ###### set peer #######
crypto map ####### set ikev2 ipsec-proposal AES265-SHA1
crypto map ####### set security-association lifetime seconds 3600
crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400
09-20-2020 03:38 AM
Are your crypto map ACL that defines your interesting traffic correct between you and your peer? The should mirror your peers ACL. The first message "No proxy match on map" implies that traffic was sent over the tunnel that is not expected.
Which device initated the tunnel when it fails? Your or the peer? Is PFS enabled on the peer?
FYI, group 5 is weak and will be depreciated in latest versions of code, consider replacing at somepoint.
09-20-2020 03:56 AM
I can't access the the partner peer configuration but he should configure all parameters correctly. also the ACL should be correct. I will contact the partner for the conformation.
Also my devise role is RESPONDER.
Thanks for the reply
09-17-2020 09:47 AM - edited 09-20-2020 03:23 AM
make sure you verify each side config, or post the configuration to understand the issue,
check more of IPSEC Proposal :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide