cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
2
Helpful
6
Replies

ASA 5506 IKEv2 IPSec L2L with cert - "conn_type 16 not allowed"??

train00wreck
Level 1
Level 1

Hi, I found an old ASA 5506-X device in my closet and was going to try to make one last attempt at setting up a IKEv2 site-to-site VPN with certificates to a Linux Strongswan peer. I have a private CA that signs certs with openssl. The Linux peer has a CA/gateway cert installed on it that has no problems making other IPSec connections with its certificates. I imported the CA into a trustpoint on the ASA and enrolled/imported a cert for it. The connection is failing with "debug crypto ca 14" output of "conn_type 16 not allowed". Like most of my problems in networking, when I google that error message I get 4 results on the entire internet, all of which have similar errors but with no relevant solutions. I am posting the ASA config and debug output below, I can post other things but man was it a PITA to sanitize all of this............. Thanks in advance.

: Saved

:
: Serial Number: sn
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)
!
hostname TESTASA
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 172.16.16.9 255.255.255.192
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel150
nameif TESTVTI
ip address 169.254.0.1 255.255.255.252
tunnel source interface outside
tunnel destination 172.16.16.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile 1
!
boot system disk0:/asa9-16-2-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 172.16.16.1 1
route TESTVTI 172.16.16.144 255.255.255.240 172.16.16.145 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal 1
protocol esp encryption aes
protocol esp integrity sha-256
crypto ipsec profile 1
set ikev2 ipsec-proposal 1
set pfs group14
set security-association lifetime kilobytes unlimited
set security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto ca certificate map CMAP 10
subject-name attr cn eq REMOTE.HOST.COM
crypto ca trustpoint MY_CA_2025
enrollment terminal
fqdn none
subject-name CN=ASACERT.HOST.COM
keypair VPNRSA
no validation-usage
ignore-ipsec-keyusage
crl configure
crypto ca trustpool policy
crypto ca certificate chain MY_CA_2025
certificate ca 1fb4e9eed31858325f43f718b2c6de804cb07f65
xxxxxxxxxxxxxxxxxxxxx
quit
certificate 59e1999c053b99ae81e8fd15c5ca46689544b6db
xxxxxxxxxxxxxxxxxxxxx
quit
crypto ikev2 policy 1
encryption aes
integrity sha
group 14
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh key-exchange hostkey eddsa
ssh 0.0.0.0 0.0.0.0 inside_1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.16.1
dynamic-access-policy-record DfltAccessPolicy
username wil password ***** pbkdf2 privilege 15
tunnel-group 172.16.16.1 type ipsec-l2l
tunnel-group 172.16.16.1 ipsec-attributes
peer-id-validate nocheck
chain
ikev2 rsa-sig-hash sha1
ikev2 remote-authentication certificate
ikev2 local-authentication certificate MY_CA_2025
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:575f48f03560e66e182fe91c4548c42b
: end

 

 

 

 


PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): Action: Action_Null
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Process auth response notify
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PLAT-4: (149): peer auth method set to: 1
PKI[13]: CERT_GetDNbyBuffer, vpn3k_cert_api.c:1294
PKI[14]: map_status, vpn3k_cert_api.c:2512

Der string is cn=REMOTE.HOST.COM
Subject_name printable string is cn=REMOTE.HOST.COM
subject_name length is : 26IKEv2-PROTO-7: Verify peer's authentication data - DN Identity check Passed.

PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Searching policy based on peer's identity 'cn=REMOTE.HOST.COM' of type 'DER ASN1 DN'
PKI[13]: CERT_AddPeerCert, vpn3k_cert_api.c:533
PKI[14]: map_status, vpn3k_cert_api.c:2512
IKEv2-PLAT-4: (149): Site to Site connection detected
IKEv2-PLAT-4: connection initiated with tunnel group 172.16.16.1
IKEv2-PLAT-4: (149): Peer ID check not requested
PKI[13]: CERT_GetTrustPointSigAlg, vpn3k_cert_api.c:3521
PKI[13]: label: MY_CA_2025
IKEv2-PLAT-4: my_auth_method = 1
IKEv2-PLAT-4: supported_peers_auth_method = 41
IKEv2-PLAT-4: (149): P1 ID = 0
IKEv2-PLAT-4: (149): Translating IKE_ID_AUTO to = 9
PKI[13]: CERT_Open, vpn3k_cert_api.c:197
PKI[13]: label: MY_CA_2025
PKI[8]: PKI session 0x06329d51 open Successful with type IPsec
PKI[13]: CERT_GetDN, vpn3k_cert_api.c:1472
PKI[7]: Get Certificate Chain: session=103980369 options=0x20 trustpoint=MY_CA_2025
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[13]: CERT_GetDNbyBuffer, vpn3k_cert_api.c:1294
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[13]: CERT_GetDN, vpn3k_cert_api.c:1472
PKI[7]: Get Certificate Chain: session=103980369 options=0x20 trustpoint=MY_CA_2025
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[13]: CERT_GetDNbyBuffer, vpn3k_cert_api.c:1294
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[13]: CERT_Close, vpn3k_cert_api.c:291
PKI[8]: Close session 0x06329d51 synchronously
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:251
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Verify peer's policy
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Peer's policy verified
PKI[7]: Retrieve Chain: session=0x062e1279 chain=TRUE max_on_chain=10
PKI[7]: Get Certificate Chain: session=103682681 options=0x0 trustpoint=MY_CA_2025
PKI[7]: Retrieve Chain: number of certs returned=2
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[14]: CERT_FreeCertBuffer, vpn3k_cert_api.c:3296
PKI[14]: CERT_GetIDSubjectDN, vpn3k_cert_api.c:3331
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): Matching certificate found
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Get peer's authentication method
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Peer's authentication method is 'RSA'
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CERT_ENC
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_X509_CERTS
PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:863
PKI[8]: Authenticate session 0x062e1279, non-blocking cb=0x000055f0805dff9b
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2913
IKEv2-PLAT-4: (149): Certificate validation queued
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NO_EVENT
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2811
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2746
PKI[8]: process msg cmd=0, session=0x062e1279
PKI[9]: Async locked for session 0x062e1279
PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1052
PKI[7]: Begin cert chain validation for session 0x062e1279
PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:472
PKI[8]: Begin sorted cert chain
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[8]: ---------Certificate--------:
Serial Number:
59:e1:99:9c:05:3b:99:ae:81:e8:fd:15:c5:ca:46:68:95:44:b6:d0
Issuer: CN=MY_CA_2025
Subject: CN=REMOTE.HOST.COM

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
Serial Number:
59:e1:99:9c:05:3b:99:ae:81:e8:fd:15:c5:ca:46:68:95:44:b6:d0
Issuer: CN=MY_CA_2025
Subject: CN=REMOTE.HOST.COM

PKI[12]: pki_verify_cb, pki_ossl_validate.c:358
PKI[8]: val status=1: cert subject: /CN=MY_CA_2025. ctx->error: (0)ok, cert_idx: 1
PKI[12]: pki_verify_cb, pki_ossl_validate.c:358
PKI[8]: val status=1: cert subject: /CN=REMOTE.HOST.COM. ctx->error: (0)ok, cert_idx: 0
PKI[8]: pki_ossl_find_valid_chain took 1557 microsecs
PKI[6]: Verified chain:
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[6]: ---------Certificate--------:
Serial Number:
59:e1:99:9c:05:3b:99:ae:81:e8:fd:15:c5:ca:46:68:95:44:b6:d0
Issuer: CN=MY_CA_2025
Subject: CN=REMOTE.HOST.COM

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[6]: ---------Certificate--------:
Serial Number:
1f:b4:e9:ee:d3:18:58:32:5f:43:f7:18:b2:c6:de:80:4c:b0:7f:65
Issuer: CN=MY_CA_2025
Subject: CN=MY_CA_2025

PKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:546
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:223
PKI[13]: get_policy_list, pki_ossl_policy.c:106
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:349
PKI[9]: Evaluating policy MY_CA_2025 for conn type 0x10
PKI[9]: pki_is_policy_match: policy MY_CA_2025 rejected (usage: 6784). conn_type 16 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:349
PKI[9]: Evaluating policy Trustpool for conn type 0x10
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:73
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[9]: Policy search for cert 1
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:223
PKI[13]: get_policy_list, pki_ossl_policy.c:106
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:349
PKI[9]: Evaluating policy MY_CA_2025 for conn type 0x10
PKI[9]: pki_is_policy_match: policy MY_CA_2025 rejected (usage: 6784). conn_type 16 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:349
PKI[9]: Evaluating policy Trustpool for conn type 0x10
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:73
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[4]: Unable to find policy
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164
IKEv2-PLAT-4: Certificate validation completed
PKI[9]: Async unlocked for session 0x062e1279
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): Failed to verify certificate.
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_FAIL_RECD_VERIFY_CERT
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): Action: Action_Null
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CERT_FAIL
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Verify cert failed
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Auth exchange failed
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-2: (149): Auth exchange failed
IKEv2-PROTO-2: (149): Auth exchange failed
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PLAT-7: Negotiating SA request deleted
IKEv2-PLAT-7: Decrement count for outgoing negotiating
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-7: (149): SM Trace-> SA: I_SPI=8293163FFD2673E1 R_SPI=13E2C7B8E57DF3F4 (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Abort exchange
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
IKEv2-PROTO-4: (149): Deleting SA
IKEv2-PROTO-7: Freeing all fragments in INBOUND fragment list
PKI[13]: CERT_Close, vpn3k_cert_api.c:291
PKI[8]: Close session 0x062e1279 synchronously
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:251
IKEv2-PLAT-4: (149): PSH cleanup
PKI[9]: CERT API thread sleeps!
IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0xAD2B3FCB error FALSE
IKEv2-PLAT-4: PFKEY Delete Ack from IPSec

6 Replies 6

MHM 

Not a valid command.... if you meant "nocheck", then that is already in the config, as shown in my post.......

TESTASA(config-tunnel-ipsec)# peer-id-validate none
                                                ^
ERROR: % Invalid input detected at '^' marker.
TESTASA(config-tunnel-ipsec)#

 

MHM

MHM

With all due respect, can you please stop replying to my posts? Twice now you have made incorrect statements on what I have or haven't done. Clearly you are either not reading the original post, or are not understanding it. It's a waste of everyone's time.

Any ideas anyone here? I realize this is kind of a dead-end device, but i figured i would try doing this one more time before i throw it in the garbage.