cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5217
Views
0
Helpful
0
Replies

ASA ikev2 simultaneous tunnel setup not working

kerstin-534
Level 1
Level 1

Hi to all.

We have observed after migrating ASAs full mesh VPN from IKEv1 to IKEv2 that simultaneous tunnel setup does not work. Simultaneous tunnel setup occurs in situations when users setup an voice call between branch offices and the callserver is in the hub. The IP Phones send udp payloads directly to each other. The ASAs on branch 1 and branch 2 initiate via IKEv2 a VPN tunnel.

 

Topology:
                     Voice Payload       
Branch 1 <--------------------------> Branch 2
 |                                                     |
 |                                                     |
 |                                                     |
 |                                                     |
 |------------------HUB--------------------|
            (with Callserver)

 

If unidirectional traffic from branch1 or branch 2 initiate VPN tunnel setup works. (for example icmp echo)

 

This can be ovserved in 9.1.x and 9.2.x trains and can easily reproduced. Other release trains not tested. Have somebody observed the same or knows the resolution ? Bug toolkit is full of IKEv2 problems. Have not found matching one.

 

Here is some DEBUG/LOGGING

2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-5-750006: Local:10.10.0.7:500 Remote:10.10.0.8:500 Username:10.10.0.8 IKEv2 SA UP. Reason: New Connection Established
2015-10-13T08:41:53+02:00 asa5505test : %ASA-5-750006: Local:10.10.0.8:500 Remote:10.10.0.7:500 Username:10.10.0.7 IKEv2 SA UP. Reason: New Connection Established
2015-10-13T08:41:53+02:00 asa5505test : %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xEB4E24CF) between 10.10.0.8 and 10.10.0.7 (user= 10.10.0.7) has been created.
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x090AF34D) between 10.10.0.7 and 10.10.0.8 (user= 10.10.0.8) has been created.
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC277B718) between 10.10.0.7 and 10.10.0.8 (user= 10.10.0.8) has been deleted.
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x090AF34D) between 10.10.0.8 and 10.10.0.7 (user= 10.10.0.8) has been deleted.
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:52+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:53+02:00 asa5505test : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB4BFBC3C) between 10.10.0.8 and 10.10.0.7 (user= 10.10.0.7) has been created.
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-5-750007: Local:10.10.0.7:500 Remote:10.10.0.8:500 Username:10.10.0.8 IKEv2 SA DOWN. Reason: no more IPSec SAs
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-4-113019: Group = 10.10.0.8, Username = 10.10.0.8, IP = 10.10.0.8, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: IKE Delete
2015-10-13T08:41:53+02:00 asa5505test : %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xEB4E24CF) between 10.10.0.8 and 10.10.0.7 (user= 10.10.0.7) has been deleted.
2015-10-13T08:41:53+02:00 asa5505test : %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB4BFBC3C) between 10.10.0.7 and 10.10.0.8 (user= 10.10.0.7) has been deleted.
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.7:500 from 10.10.0.8:500
2015-10-13T08:41:53+02:00 asa5505test : %ASA-5-750007: Local:10.10.0.8:500 Remote:10.10.0.7:500 Username:10.10.0.7 IKEv2 SA DOWN. Reason: no more IPSec SAs
2015-10-13T08:41:53+02:00 asa5505test2 : %ASA-5-750007: Local:10.10.0.7:500 Remote:10.10.0.8:500 Username:10.10.0.8 IKEv2 SA DOWN. Reason: local failure
2015-10-13T08:41:53+02:00 asa5505test : %ASA-7-713906: IKE Receiver: Packet received on 10.10.0.8:500 from 10.10.0.7:500
2015-10-13T08:41:53+02:00 asa5505test : %ASA-5-750007: Local:10.10.0.8:500 Remote:10.10.0.7:500 Username:10.10.0.7 IKEv2 SA DOWN. Reason: local failure
2015-10-13T08:41:53+02:00 asa5505test : %ASA-4-113019: Group = 10.10.0.7, Username = 10.10.0.7, IP = 10.10.0.7, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Internal Error

 

 

br fritz

 

 

0 Replies 0