Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
30
Helpful
18
Replies

ASA -> CSR 1000V IKEV2 VPN PEER IP CHANGE HELP

tomocita
Level 1
Level 1

‎06-23-2021 06:57 AM - edited ‎06-23-2021 07:21 AM

Hi all, any help is much appreciated on this!

 

My setup is VPN tunnel between ASA to CSR100v IKEV2.

 

I need to change the outside interface IP on the ASA which the CSR peers with.

What I've tried:

  • changed the IP on the ASA interface
  • change CSR crypto map peer
  • change CSR ikev2 profile remote address

That didn't work so I tried also:

  • on CSR I made a new crypto ikev2 profile with the new remote address and same pre-share key.
  • also updated the CSR crypto map to the new profile.

The tunnel is failing to work and have never performed this before. I cannot find relevant documentation. All I find is ASA>ASA guides or Router-Router

 

Thank you

Labels:
0 Helpful
18 Replies 18

Rob Ingram
VIP
VIP

‎06-23-2021 07:28 AM

@tomocita 

What idenitity are you matching on under the IKEv2 profile? The identity can be defined as an IP address, so you might need to change it to reflect the new IP address of the ASA.

 

You could also run the command "show run | inc <ASA old IP address>


If in doubt send the configuration so we can help you.

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 07:36 AM

Thank you for the reply Rob!

 

The CSR is matching the identity of the remote address which is the ASA's outside interface IP.

 

I have changed everything in the CSR config that was the old ASA IP to the new IP.

 

Still no luck

 

show run | inc 10.10.10.10 returns: (I have used placeholder IP for security)

match identity remote address 10.10.10.10 255.255.255.255
set peer 10.10.10.10

 

These are the changes I've made.

####ASA####
interface gi0/0 ip address 20.20.20.20 255.255.255.248

####CSR####

crypto map mappy 10 ipsec-isakmp
no set peer 10.10.10.10
set peer 20.20.20.20

 

crypto ikev2 profile profile1
no match identity remote address 10.10.10.10 255.255.255.255
match identity remote address 20.20.20.20 255.255.255.255

0 Helpful

Rob Ingram
VIP
VIP
In response to tomocita

‎06-23-2021 07:40 AM

@tomocita are you generating traffic from an IP address defined in the crypto ACL in order for the tunnel to be established?

Can you enable IKEv2 debugs, generate traffic and provide the output for review please

 

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 07:49 AM

@Rob Ingram  I am generating traffic from the network behind the ASA and sending it to the CSR. 

 

Here is the "crypto ikev2 debug":

 

*Jun 23 14:42:40.871: IKEv2:Received Packet [From 20.20.20.20:500/To 10.50.0.5:500/VRF i0:f0]
Initiator SPI : 93FD8ADCA1C56152 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Jun 23 14:42:40.871: IKEv2:(SESSION ID = 14,SA ID = 1):Verify SA init message
*Jun 23 14:42:40.871: IKEv2:(SESSION ID = 14,SA ID = 1):Insert SA
*Jun 23 14:42:40.871: IKEv2:Searching Policy with fvrf 0, local address 10.50.0.5
*Jun 23 14:42:40.871: IKEv2:Found Policy 'policy1'
*Jun 23 14:42:40.871: IKEv2:(SESSION ID = 14,SA ID = 1):Processing IKE_SA_INIT message
*Jun 23 14:42:40.872: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 14:42:40.872: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 14:42:40.872: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 14:42:40.872: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 14:42:40.872: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Jun 23 14:42:40.873: IKEv2:(SESSION ID = 14,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jun 23 14:42:40.873: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 14:42:40.873: IKEv2:(SESSION ID = 14,SA ID = 1):Request queued for computation of DH key
*Jun 23 14:42:40.873: IKEv2:(SESSION ID = 14,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 14:42:40.874: IKEv2:(SESSION ID = 14,SA ID = 1):Request queued for computation of DH secret
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jun 23 14:42:40.874: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jun 23 14:42:40.874: IKEv2:(SESSION ID = 14,SA ID = 1):Generating IKE_SA_INIT message
*Jun 23 14:42:40.874: IKEv2:(SESSION ID = 14,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 14:42:40.874: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 14:42:40.875: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Jun 23 14:42:40.875: IKEv2:(SESSION ID = 14,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.5:500/VRF i0:f0]
Initiator SPI : 93FD8ADCA1C56152 - Responder SPI : F916A6AACAB0C4B3 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 14:42:40.876: IKEv2:(SESSION ID = 14,SA ID = 1):Completed SA init exchange
*Jun 23 14:42:40.876: IKEv2:(SESSION ID = 14,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jun 23 14:43:10.876: IKEv2-ERROR:(SESSION ID = 14,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jun 23 14:43:10.876: IKEv2:(SESSION ID = 14,SA ID = 1):Auth exchange failed
*Jun 23 14:43:10.876: IKEv2-ERROR:(SESSION ID = 14,SA ID = 1):: Auth exchange failed
*Jun 23 14:43:10.876: IKEv2:(SESSION ID = 14,SA ID = 1):Abort exchange
*Jun 23 14:43:10.876: IKEv2:(SESSION ID = 14,SA ID = 1):Deleting SA

*Jun 23 14:43:40.296: IKEv2:Received Packet [From 20.20.20.20:500/To 10.50.0.5:500/VRF i0:f0]
Initiator SPI : 93FD8ADCA1C56152 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Jun 23 14:43:40.296: IKEv2:(SESSION ID = 15,SA ID = 1):Verify SA init message
*Jun 23 14:43:40.296: IKEv2:(SESSION ID = 15,SA ID = 1):Insert SA
*Jun 23 14:43:40.296: IKEv2:Searching Policy with fvrf 0, local address 10.50.0.5
*Jun 23 14:43:40.296: IKEv2:Found Policy 'policy1'
*Jun 23 14:43:40.296: IKEv2:(SESSION ID = 15,SA ID = 1):Processing IKE_SA_INIT message
*Jun 23 14:43:40.297: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 14:43:40.297: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 14:43:40.297: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 14:43:40.297: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 14:43:40.298: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Jun 23 14:43:40.298: IKEv2:(SESSION ID = 15,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jun 23 14:43:40.298: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 14:43:40.298: IKEv2:(SESSION ID = 15,SA ID = 1):Request queued for computation of DH key
*Jun 23 14:43:40.298: IKEv2:(SESSION ID = 15,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jun 23 14:43:40.299: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 14:43:40.300: IKEv2:(SESSION ID = 15,SA ID = 1):Request queued for computation of DH secret
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jun 23 14:43:40.300: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jun 23 14:43:40.300: IKEv2:(SESSION ID = 15,SA ID = 1):Generating IKE_SA_INIT message
*Jun 23 14:43:40.300: IKEv2:(SESSION ID = 15,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 14:43:40.300: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 14:43:40.300: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Jun 23 14:43:40.301: IKEv2:(SESSION ID = 15,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.5:500/VRF i0:f0]
Initiator SPI : 93FD8ADCA1C56152 - Responder SPI : 7A5D4F025909ED6D Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 14:43:40.301: IKEv2:(SESSION ID = 15,SA ID = 1):Completed SA init exchange
*Jun 23 14:43:40.301: IKEv2:(SESSION ID = 15,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jun 23 14:43:40.304: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000003661225317773 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.50.0.5, src_addr= 10.56.0.1, prot= 1
CSR1000V#
*Jun 23 14:44:10.301: IKEv2-ERROR:(SESSION ID = 15,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jun 23 14:44:10.302: IKEv2:(SESSION ID = 15,SA ID = 1):Auth exchange failed
*Jun 23 14:44:10.302: IKEv2-ERROR:(SESSION ID = 15,SA ID = 1):: Auth exchange failed
*Jun 23 14:44:10.302: IKEv2:(SESSION ID = 15,SA ID = 1):Abort exchange
*Jun 23 14:44:10.302: IKEv2:(SESSION ID = 15,SA ID = 1):Deleting SA

0 Helpful

Rob Ingram
VIP
VIP
In response to tomocita

‎06-23-2021 07:57 AM

@tomocita its failing authentication. Please provide your configuration and the output of "show crypto pki certificates"

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 08:05 AM - edited ‎06-23-2021 08:11 AM

@Rob Ingram   Here is the CSR config, please note I have removed confidential information, routing and ACL's etc. Hopefully this is still okay. many thanks!

 

I feel like it needs "rekey'ing" or something for new certs but I have no idea how and any guides I find online are based on ASA>ASA setups.

 

CSR RUNNING-CONFIG

Building configuration...

Current configuration : 8831 bytes
!
! Last configuration change at 14:19:23 UTC Wed Jun 23 2021
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CSR1000V
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
no ip domain lookup
!
!
!
ipv6 unicast-routing
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2391324281
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2391324281
revocation-check none
rsakeypair TP-self-signed-2391324281
!
!
crypto pki certificate chain TP-self-signed-2391324281
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333931 33323432 3831301E 170D3135 30353235 31323334
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33393133
32343238 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFB4 5303588C 7C6EE20D B613EFB5 219FC930 FEB64144 AF0AAD15 C422AC07
63678A8D 921E7DE8 14F53468 8A9B03EF EB702797 DFBACAB1 0E6B4426 096F7DCA
4747A370 69E808CA 810E1684 5B7C30F8 B43E4B53 476DFD46 738B8C4E D88F602C
2C9CB1EA 21657359 29C45A0B D8C625F5 7F7ED348 B07CEF06 71B46E8A 0E0EC197
6D310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147E8325 55C59A16 E2E7DE84 5F2118BA 5074B35A 98301D06
03551D0E 04160414 7E832555 C59A16E2 E7DE845F 2118BA50 74B35A98 300D0609
2A864886 F70D0101 05050003 81810010 E77FF752 79B7BA19 151F1E58 F7180BFB
9A0E6A1F 549D84CF 989DFF48 3A471492 A8C55DE4 18679C96 4BDFC1C9 19ABF408
8A46F0A7 1D325D7E 1C0EA630 8F33848E B90AD77F 2B3A9D96 0B3DDB5A 7320F192
F30AACF3 60445DA2 30235179 FC1090AC C0B49A9E B21CDDEA AD4A704A 6084A020
50D5182A 7E6ED3C5 1AE1BA4D 43A038
quit
!
!
!
!
!
license udi pid CSR1000V sn 9PCI9LD5MKL
license boot level ax
!
spanning-tree extend system-id
!
!
redundancy
!
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy policy1
match address local 10.50.0.5
proposal aes-cbc-256-proposal
!
!
crypto ikev2 profile profile1
match address local 10.50.0.5
match identity remote address 20.20.20.20 255.255.255.255
authentication local pre-share key password
authentication remote pre-share key password
!
!
!
!
!
!
crypto ipsec transform-set ESP-AES-SHA2 esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map mappy 10 ipsec-isakmp
set peer 20.20.20.20
set transform-set ESP-AES-SHA2
set pfs group19
set ikev2-profile profile1
match address IPSEC_TRAFFIC
!
!
!
!
!
interface GigabitEthernet1
description ** To Firewall **
ip address 10.50.0.5 255.255.255.0
negotiation auto
crypto map mappy
!
interface GigabitEthernet2
description ** To Azure **
mac-address 0012.1212.1212
ip address 10.60.20.4 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
router isis 2020
net 00.0000.0000.0012.00
is-type level-2-only
metric-style wide
log-adjacency-changes all
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.56.0.1
!

ip access-list extended INSIDE
permit icmp any any
deny ip any any log-input
ip access-list extended IPSEC_TRAFFIC


ip access-list extended temp-crypto-map
permit ip any any
permit icmp any any
!
logging origin-id string CSR

!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
history size 256
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
no login
history size 256
!
!
end

CSR1000V#

 

#show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2391324281
Subject:
Name: IOS-Self-Signed-Certificate-2391324281
cn=IOS-Self-Signed-Certificate-2391324281
Validity Date:
start date: 12:34:55 UTC May 25 2015
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: TP-self-signed-2391324281
Storage: nvram:IOS-Self-Sig#1.cer

0 Helpful

Rob Ingram
VIP
VIP
In response to tomocita

‎06-23-2021 08:15 AM

Did you modify the IKEv2 profile for the local identity? You identify the local identity with the command "identity local....." Modify as below:-

 

crypto ikev2 profile profile1
 no match address local 10.50.0.5
 identity local address 10.5.0.5

 

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 08:24 AM

@Rob IngramI have not, these were the only changes made

 

"####ASA####
interface gi0/0 ip address 20.20.20.20 255.255.255.248

####CSR####

crypto map mappy 10 ipsec-isakmp
no set peer 10.10.10.10
set peer 20.20.20.20

 

crypto ikev2 profile profile1
no match identity remote address 10.10.10.10 255.255.255.255
match identity remote address 20.20.20.20 255.255.255.255"

 

 

crypto ikev2 profile profile1
 no match address local 10.50.0.5
 identity local address 10.5.0.5

the CSR interface (internet facing) IP is 10.50.0.5, will I not have to change that as well?

I didn't think I would need to as only the ASA's outside IP is changing.

 

Please let me know if I've got the wrong end of the stick here.

0 Helpful

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 08:34 AM

@Rob Ingram wrote:

Did you modify the IKEv2 profile for the local identity? You identify the local identity with the command "identity local....." Modify as below:-

 

crypto ikev2 profile profile1
 no match address local 10.50.0.5
 identity local address 10.5.0.5

 

Just tried this configuration change and no luck.

0 Helpful

Rob Ingram
VIP
VIP
In response to tomocita

‎06-23-2021 08:41 AM - edited ‎06-23-2021 09:02 AM

@tomocita You debug only appears to be doing certificate authentication, but your CSR is configured to do PSK. Is there more debug from the CSR that you've not provided?

 

Can you provide the ASA debugs as well.

 

Check the identity being sent from the ASA - "crypto isakmp identity address|auto|hostname" should use auto or address.

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 09:10 AM

@Rob Ingram  hmmm interesting, Hoping this additional info helps: The debugs are from the same times on each device.

 

 

ASA CRYPTO DEBUG

10.120.32.100 = public azure IP for CSR

 

Jun 23 2021 15:53:06: %ASA-6-302016: Teardown UDP connection 105 for outside:10.120.32.100/500 to identity:20.20.20.20/500 duration 0:07:24 bytes 5348
Jun 23 2021 16:00:31: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = AZMAP. Map Sequence Number = 1.
Jun 23 2021 16:00:31: %ASA-5-750001: Local:20.20.20.20:500 Remote:10.120.32.100:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = A5
Jun 23 2021 16:00:31: %ASA-6-302015: Built outbound UDP connection 116 for outside:10.120.32.100/500 (10.120.32.100/500) to identity:20.20.20.20/500 (20.20.20.20/500)
OUT-AZ-PRODASA1-BRW# IKEv2-PROTO-1: (10): Maximum number of retransmissions reached
IKEv2-PROTO-1: (10):
IKEv2-PROTO-1: (10): Initial exchange failed
IKEv2-PROTO-1: (10): Initial exchange failed
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer.

 

 

 CSR CRYPTO DEBUG

*Jun 23 16:00:31.937: IKEv2:Received Packet [From 20.20.20.20:500/To 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Jun 23 16:00:31.938: IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
*Jun 23 16:00:31.938: IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
*Jun 23 16:00:31.938: IKEv2:Searching Policy with fvrf 0, local address 10.50.0.4
*Jun 23 16:00:31.938: IKEv2:Found Policy 'policy1'
*Jun 23 16:00:31.938: IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
*Jun 23 16:00:31.940: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:00:31.940: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:00:31.940: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:00:31.940: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:00:31.940: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Jun 23 16:00:31.940: IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jun 23 16:00:31.940: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:00:31.940: IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH key
*Jun 23 16:00:31.940: IKEv2:(SESSION ID = 25,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:00:31.942: IKEv2:(SESSION ID = 25,SA ID = 1):Request queued for computation of DH secret
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jun 23 16:00:31.942: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jun 23 16:00:31.942: IKEv2:(SESSION ID = 25,SA ID = 1):Generating IKE_SA_INIT message
*Jun 23 16:00:31.942: IKEv2:(SESSION ID = 25,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:00:31.942: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:00:31.942: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Jun 23 16:00:31.942: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0938DB8167300856 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:00:31.943: IKEv2:(SESSION ID = 25,SA ID = 1):Completed SA init exchange
*Jun 23 16:00:31.943: IKEv2:(SESSION ID = 25,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jun 23 16:00:31.947: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000008272885213735 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.50.0.4, src_addr= 10.50.0.1, prot= 1
*Jun 23 16:00:33.750: IKEv2:(SESSION ID = 25,SA ID = 1):Retransmitting packet

*Jun 23 16:00:33.750: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0938DB8167300856 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:00:33.751: IKEv2:(SESSION ID = 25,SA ID = 1):Packet is a retransmission
*Jun 23 16:00:33.751: IKEv2-ERROR:: Packet is a retransmission
*Jun 23 16:00:37.400: IKEv2:(SESSION ID = 25,SA ID = 1):Retransmitting packet

*Jun 23 16:00:37.400: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0938DB8167300856 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:00:37.401: IKEv2:(SESSION ID = 25,SA ID = 1):Packet is a retransmission
*Jun 23 16:00:37.401: IKEv2-ERROR:: Packet is a retransmission
*Jun 23 16:00:45.200: IKEv2:(SESSION ID = 25,SA ID = 1):Retransmitting packet

*Jun 23 16:00:45.200: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0938DB8167300856 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:00:45.201: IKEv2:(SESSION ID = 25,SA ID = 1):Packet is a retransmission
*Jun 23 16:00:45.201: IKEv2-ERROR:: Packet is a retransmission
*Jun 23 16:00:59.918: IKEv2:(SESSION ID = 25,SA ID = 1):Retransmitting packet

*Jun 23 16:00:59.918: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0938DB8167300856 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:00:59.919: IKEv2:(SESSION ID = 25,SA ID = 1):Packet is a retransmission
*Jun 23 16:00:59.919: IKEv2-ERROR:: Packet is a retransmission
*Jun 23 16:01:01.943: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jun 23 16:01:01.943: IKEv2:(SESSION ID = 25,SA ID = 1):Auth exchange failed
*Jun 23 16:01:01.944: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):: Auth exchange failed
*Jun 23 16:01:01.944: IKEv2:(SESSION ID = 25,SA ID = 1):Abort exchange
*Jun 23 16:01:01.944: IKEv2:(SESSION ID = 25,SA ID = 1):Deleting SA

*Jun 23 16:01:29.807: IKEv2:Received Packet [From 20.20.20.20:500/To 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Jun 23 16:01:29.807: IKEv2:(SESSION ID = 26,SA ID = 1):Verify SA init message
*Jun 23 16:01:29.807: IKEv2:(SESSION ID = 26,SA ID = 1)
LMAZCSRPRD001#:Insert SA
*Jun 23 16:01:29.807: IKEv2:Searching Policy with fvrf 0, local address 10.50.0.4
*Jun 23 16:01:29.807: IKEv2:Found Policy 'policy1'
*Jun 23 16:01:29.807: IKEv2:(SESSION ID = 26,SA ID = 1):Processing IKE_SA_INIT message
*Jun 23 16:01:29.808: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:01:29.808: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:01:29.808: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:01:29.808: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:01:29.808: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Jun 23 16:01:29.808: IKEv2:(SESSION ID = 26,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jun 23 16:01:29.809: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:01:29.809: IKEv2:(SESSION ID = 26,SA ID = 1):Request queued for computation of DH key
*Jun 23 16:01:29.809: IKEv2:(SESSION ID = 26,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:01:29.810: IKEv2:(SESSION ID = 26,SA ID = 1):Request queued for computation of DH secret
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jun 23 16:01:29.810: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jun 23 16:01:29.810: IKEv2:(SESSION ID = 26,SA ID = 1):Generating IKE_SA_INIT message
*Jun 23 16:01:29.810: IKEv2:(SESSION ID = 26,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:01:29.810: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:01:29.810: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Jun 23 16:01:29.811: IKEv2:(SESSION ID = 26,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 66679A9605CEFE6F Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:01:29.811: IKEv2:(SESSION ID = 26,SA ID = 1):Completed SA init exchange
*Jun 23 16:01:29.811: IKEv2:(SESSION ID = 26,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jun 23 16:01:59.811: IKEv2-ERROR:(SESSION ID = 26,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jun 23 16:01:59.811: IKEv2:(SESSION ID = 26,SA ID = 1):Auth exchange failed
*Jun 23 16:01:59.811: IKEv2-ERROR:(SESSION ID = 26,SA ID = 1):: Auth exchange failed
*Jun 23 16:01:59.811: IKEv2:(SESSION ID = 26,SA ID = 1):Abort exchange
*Jun 23 16:01:59.811: IKEv2:(SESSION ID = 26,SA ID = 1):Deleting SA

*Jun 23 16:02:31.761: IKEv2:Received Packet [From 20.20.20.20:500/To 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*Jun 23 16:02:31.762: IKEv2:(SESSION ID = 27,SA ID = 1):Verify SA init message
*Jun 23 16:02:31.762: IKEv2:(SESSION ID = 27,SA ID = 1):Insert SA
*Jun 23 16:02:31.762: IKEv2:Searching Policy with fvrf 0, local address 10.50.0.4
*Jun 23 16:02:31.762: IKEv2:Found Policy 'policy1'
*Jun 23 16:02:31.762: IKEv2:(SESSION ID = 27,SA ID = 1):Processing IKE_SA_INIT message
*Jun 23 16:02:31.762: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:02:31.762: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:02:31.762: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:02:31.762: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:02:31.763: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Jun 23 16:02:31.763: IKEv2:(SESSION ID = 27,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jun 23 16:02:31.763: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:02:31.763: IKEv2:(SESSION ID = 27,SA ID = 1):Request queued for computation of DH key
*Jun 23 16:02:31.763: IKEv2:(SESSION ID = 27,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jun 23 16:02:31.764: IKEv2:(SESSION ID = 27,SA ID = 1):Request queued for computation of DH secret
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jun 23 16:02:31.764: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jun 23 16:02:31.764: IKEv2:(SESSION ID = 27,SA ID = 1):Generating IKE_SA_INIT message
*Jun 23 16:02:31.764: IKEv2:(SESSION ID = 27,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2391324281'
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jun 23 16:02:31.764: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Jun 23 16:02:31.764: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Jun 23 16:02:31.765: IKEv2:(SESSION ID = 27,SA ID = 1):Sending Packet [To 20.20.20.20:500/From 10.50.0.4:500/VRF i0:f0]
Initiator SPI : D109DEC34D4410F2 - Responder SPI : 37753877B46BB6D8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jun 23 16:02:31.765: IKEv2:(SESSION ID = 27,SA ID = 1):Completed SA init exchange
*Jun 23 16:02:31.765: IKEv2:(SESSION ID = 27,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jun 23 16:02:31.768: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000008392707169539 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.50.0.4, src_addr= 10.50.0.1, prot= 1
*Jun 23 16:03:01.765: IKEv2-ERROR:(SESSION ID = 27,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jun 23 16:03:01.765: IKEv2:(SESSION ID = 27,SA ID = 1):Auth exchange failed
*Jun 23 16:03:01.765: IKEv2-ERROR:(SESSION ID = 27,SA ID = 1):: Auth exchange failed
*Jun 23 16:03:01.765: IKEv2:(SESSION ID = 27,SA ID = 1):Abort exchange
*Jun 23 16:03:01.765: IKEv2:(SESSION ID = 27,SA ID = 1):Deleting SA

 

0 Helpful

tomocita
Level 1
Level 1
In response to tomocita

‎06-23-2021 09:17 AM

@Rob Ingram 

 

Here are some seriously more detailed ASA debugs using

Debug crypto condition peer 10.120.32.100
Debug crypto ikev2 platform 255
Debug crypto ikev2 protocol 255
Debug crypto ipsec 255

 

IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-5: (11): Setting configured policies
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
IKEv2-PROTO-5: (11): Opening a PKI session
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-2: (11): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
IKEv2-PROTO-2: (11): Request queued for computation of DH key
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (11): Action: Action_Null
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (11): Generating IKE_SA_INIT message
IKEv2-PROTO-2: (11): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
(11): AES-CBC(11): SHA256(11): SHA256(11): DH_GROUP_256_ECP/Group 19(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-2: (11): Insert SA
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-2: (11): Retransmitting packet
(11):
IKEv2-PROTO-2: (11): Sending Packet [To 10.120.32.100:500/From 20.20.20.20:500/VRF i0:f0]
(11): Initiator SPI : 7AB6A3FB68D4AE9B - Responder SPI : 0000000000000000 Message id: 0
(11): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (11): Next payload: SA, version: 2.0 (11): Exchange type: IKE_SA_INIT, flags: INITIATOR (11): Message id: 0, length: 382(11):
Payload contents:
(11): SA(11): Next payload: KE, reserved: 0x0, length: 48
(11): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(11): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(11): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(11): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(11): KE(11): Next payload: N, reserved: 0x0, length: 72
(11): DH group: 19, Reserved: 0x0
(11):
(11): 7f 78 a1 8c b0 fa a4 3a 0d 03 85 65 b7 ef d6 02
(11): e6 54 9a 09 2b 09 96 ef 20 49 f5 ca 6f 9d 17 fb
(11): dd 74 b6 65 cf ac e1 52 1c 0a 2f 97 d3 a8 8b d9
(11): 50 fd 29 67 56 9d a9 71 f4 7f 40 2c a2 6c f7 c2
(11): N(11): Next payload: VID, reserved: 0x0, length: 68
(11):
(11): 35 a0 ea 25 31 fb a5 b8 78 ea 65 85 85 65 f5 67
(11): c4 f4 45 46 60 cb 51 43 d6 48 48 9b 4d 2f 7b 58
(11): f1 ba 0b 58 2e ea 27 df ad 82 4b 48 b5 b5 cb 15
(11): 50 a9 ec e3 91 0e 6b 7c 9d 38 f2 7a 98 e4 12 ec
(11): VID(11): Next payload: VID, reserved: 0x0, length: 23
(11):
(11): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(11): 53 4f 4e
(11): VID(11): Next payload: NOTIFY, reserved: 0x0, length: 59
(11):
(11): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(11): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(11): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(11): 73 2c 20 49 6e 63 2e
(11): NOTIFY(NAT_DETECTION_SOURCE_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(11):
(11): 1b ae a6 7d 46 7c 82 59 1f 29 76 51 d6 b4 ec 0a
(11): 94 7f 98 e3
(11): NOTIFY(NAT_DETECTION_DESTINATION_IP)(11): Next payload: NOTIFY, reserved: 0x0, length: 28
(11): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(11):
(11): 1a 96 26 fa e2 d1 4e c3 6c af 13 f0 0b f1 59 11
(11): 41 89 eb 9b
(11): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(11): Next payload: VID, reserved: 0x0, length: 8
(11): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(11): VID(11): Next payload: NONE, reserved: 0x0, length: 20
(11):
(11): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-1: (11): Maximum number of retransmissions reached
IKEv2-PROTO-1: (11):
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-2: (11): Failed SA init exchange
IKEv2-PROTO-1: (11): Initial exchange failed
IKEv2-PROTO-1: (11): Initial exchange failed
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (11): SM Trace-> SA: I_SPI=7AB6A3FB68D4AE9B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (11): Abort exchange
IKEv2-PROTO-2: (11): Deleting SA

0 Helpful

Rob Ingram
VIP
VIP
In response to tomocita

‎06-23-2021 09:22 AM

@tomocita 

So does the ASA match on the Azure IP address 10.120.32.100 or the IP address configured on the CSR?

Provide the ASA configuration.

0 Helpful

tomocita
Level 1
Level 1
In response to Rob Ingram

‎06-23-2021 09:28 AM

@Rob Ingram 

 

The ASA crypto map matches address on an IPSEC ACL. It's peer is the CSR's Address.

 

Everything was working perfectly fine before the IP change on the ASA outside interface.

0 Helpful
Customers Also Viewed These Support Documents