ASA IPsec VPN (ikev2) debug commands

preetpeethambaran · ‎04-08-2020

Hi,

I am facing issue with ASA VPN tunnel (ikev2) which is not coming up. "show crypto ikev2 sa" is not showing any output.

Please share the VPN "debug commands" which can be used for troubleshooting, with out impacting much on ASA processing utilization as ASA is in production.

Jewgeni Uschegow · ‎04-08-2020

Hi,

what do you see in output from sh crypto isakmp sa?

For debugging you can use:

debug crypto ikev2 platform 255

debug crypto ikev2 protocol 255

Regards,

preetpeethambaran · ‎04-08-2020

Thanks for the debugging commands, below are the VPN logs i am getting while trying to initiate VPN traffic,

<--- More --->IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: attempting to find tunnel group for IP: 62.193.73.40
IKEv2-PLAT-2: mapped to tunnel group 62.193.73.40 using peer IP
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: supported_peers_auth_method = 2
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x57451BD6, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 3 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x6FEDE4D2, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 2 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x8E78B423, error FALSE
IKEv2-PLAT-2:
IKEv2 received a requested SPI from CTM and waiting for 1 more SPIs
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xEF4948F4, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to: 62.193.73.40
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (110): SENT PKT [IKE_SA_INIT] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
78 4a 9a 93 30 d6 e2 f6 00 00 00 00 00 00 00 00 | xJ..0...........
29 20 22 20 00 00 00 00 00 00 00 26 00 00 00 0a | ) " .......&....
01 00 00 11 00 02 | ......
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PLAT-3: (110): SENT PKT [IKE_SA_INIT] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
78 4a 9a 93 30 d6 e2 f6 e0 72 9c 1c 98 eb d8 a6 | xJ..0....r......
21 20 22 20 00 00 00 00 00 00 01 ba 22 00 00 2c | ! " ........"..,
00 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03 | ...(............
03 00 00 08 02 00 00 02 03 00 00 08 03 00 00 02 | ................
00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00 | ........(.......
49 54 26 18 c2 10 24 35 c6 02 11 65 0e 47 e6 2b | IT&...$5...e.G.+
f7 ef 9b fb 3f 06 39 35 63 85 62 e0 d1 c8 51 dd | ....?.95c.b...Q.
bc f3 4c 00 ca 30 3c 34 e8 12 94 f7 e3 60 f2 42 | ..L..0<4.....`.B
1d aa 57 bc 05 fe 66 56 a7 ab 51 82 53 06 ab f3 | ..W...fV..Q.S...
14 de ad 7a 74 ba 7b 65 0d eb 33 13 6f 12 dc f9 | ...zt.{e..3.o...
31 36 48 a0 2e cb ab f5 e7 b4 e9 19 0f 0c ca 12 | 16H.............
e2 5d fc 34 71 7b 4c 37 bb 74 0f 68 e6 35 14 b9 | .].4q{L7.t.h.5..
ee 11 aa 38 79 73 75 ed eb 6e 66 1a e7 bc 0d 78 | ...8ysu..nf....x
2b 00 00 44 a4 b2 d5 54 84 5c 15 20 c1 44 34 25 | +..D...T.\. .D4%
a4 87 2f ca e4 b3 4e 43 17 5f d5 3b e4 26 3d d7 | ../...NC._.;.&=.
62 0d 49 db 4a 60 56 6c b9 56 d1 bf 3c 7e 31 bc | b.I.J`Vl.V..<~1.
23 d3 fd fb 13 7e a8 f2 cb 2f 0d e9 c6 f3 4e 96 | #....~.../....N.
63 94 8b b9 2b 00 00 17 43 49 53 43 4f 2d 44 45 | c...+...CISCO-DE
4c 45 54 45 2d 52 45 41 53 4f 4e 29 00 00 3b 43 | LETE-REASON)..;C
49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29 26 | ISCO(COPYRIGHT)&
43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 | Copyright (c) 20
30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d 73 | 09 Cisco Systems
2c 20 49 6e 63 2e 29 00 00 1c 01 00 40 04 f3 e1 | , Inc.).....@...
e9 e3 f5 f0 68 7e 91 67 b0 89 28 28 5d a2 d9 d2 | ....h~.g..((]...
d9 c1 29 00 00 1c 01 00 40 05 ea 70 9e e6 f6 f6 | ..).....@..p....
6a e8 e3 83 ff 09 65 b3 3c 04 5e cb 85 fe 2b 00 | j.....e.<.^...+.
00 08 00 00 40 2e 00 00 00 14 40 48 b7 d5 6e bc | ....@.....@H..n.
e8 85 25 e7 de 7f 00 d6 c2 d3 | ..%......
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0xe0729c1c98ebd8a6 MID=00000000
IKEv2-PLAT-2: Process custom VID payloads
IKEv2-PLAT-2: Cisco Copyright VID received from peer
IKEv2-PLAT-2: (110): my auth method set to: 2
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PLAT-2: (110): Encrypt success status returned via ipc 1
IKEv2-PLAT-3: (110): SENT PKT [IKE_AUTH] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0xe0729c1c98ebd8a6 MID=00000001

IKEv2 Recv RAW packet dump
78 4a 9a 93 30 d6 e2 f6 e0 72 9c 1c 98 eb d8 a6 | xJ..0....r......
2e 20 23 20 00 00 00 01 00 00 00 7c 2b 00 00 60 | . # .......|+..`
7a 56 9b cd 22 6d 43 86 85 82 db 7e 12 f0 4e 25 | zV.."mC....~..N%
b4 fb 05 0a c0 15 ad 25 21 04 ae 9e 32 fc d9 0e | .......%!...2...
1a 77 c4 75 e3 6b 2a cc 31 af 1f 4f 1e 8f 4c a8 | .w.u.k*.1..O..L.
56 0d 35 63 60 df 16 bf 80 b4 85 25 a9 a9 af b5 | V.5c`......%....
d7 2f c8 c6 72 e9 e1 40 1d 80 b7 48 61 63 88 a2 | ./..r..@...Hac..
cb 66 55 99 16 e9 ca 6a 64 a3 0b 5a | .fU....jd..Z
IKEv2-PLAT-3: RECV PKT [IKE_AUTH] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0xe0729c1c98ebd8a6 MID=00000001
IKEv2-PLAT-2: (110): Decrypt success status returned via ipc 1
IKEv2-PLAT-2: (110): peer auth method set to: 2
IKEv2-PLAT-2: (110): Site to Site connection detected
IKEv2-PLAT-2: connection initiated with tunnel group 62.193.73.40
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: supported_peers_auth_method = 2
IKEv2-PLAT-2: (110): P1 ID = 0
IKEv2-PLAT-2: (110): Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-2: (110): Completed authentication for connection
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2:
CONNECTION STATUS: UP... peer: 62.193.73.40:500, phase1_id: 62.193.73.40
IKEv2-PLAT-2: (110): connection auth hdl set to 600
IKEv2-PLAT-2: (110): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PLAT-2: (110): idle timeout set to: 30
IKEv2-PLAT-2: (110): session timeout set to: 0
IKEv2-PLAT-2: (110): group policy set to 62.193.73.40
IKEv2-PLAT-2: (110): class attr set
IKEv2-PLAT-2: (110): tunnel protocol set to: 0x40
IKEv2-PLAT-2: (110): IPv4 filter ID not configured for connection
IKEv2-PLAT-2: (110): group lock set to: none
IKEv2-PLAT-2: (110): IPv6 filter ID not configured for connection
IKEv2-PLAT-2: (110): connection attribues set valid to TRUE
IKEv2-PLAT-2: (110): Successfully retrieved conn attrs
IKEv2-PLAT-2: (110): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-2: (110): connection auth hdl set to -1
IKEv2-PLAT-2:
CONNECTION STATUS: REGISTERED... peer: 62.193.73.40:500, phase1_id: 62.193.73.40
IKEv2-PLAT-2: mib_index set to: 501
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x57451BD6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x6FEDE4D2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x8E78B423 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xEF4948F4 error FALSE
IKEv2-PLAT-2: (110): Encrypt success status returned via ipc 1
IKEv2-PLAT-3: (110): SENT PKT [INFORMATIONAL] [41.65.204.228]:500->[62.193.73.40]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0xe0729c1c98ebd8a6 MID=00000002

IKEv2 Recv RAW packet dump
78 4a 9a 93 30 d6 e2 f6 e0 72 9c 1c 98 eb d8 a6 | xJ..0....r......
2e 20 25 20 00 00 00 02 00 00 00 44 2a 00 00 28 | . % .......D*..(
1d 80 b7 48 61 63 88 a2 78 d6 13 44 b7 91 9d 4a | ...Hac..x..D...J
59 97 c0 0d 9d 7b 34 a3 4f 06 ac 63 2b 2b cf ed | Y....{4.O..c++..
81 83 69 d0 | ..i.
IKEv2-PLAT-3: RECV PKT [INFORMATIONAL] [62.193.73.40]:500->[41.65.204.228]:500 InitSPI=0x784a9a9330d6e2f6 RespSPI=0xe0729c1c98ebd8a6 MID=00000002
IKEv2-PLAT-2: (110): Decrypt success status returned via ipc 1
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 62.193.73.40:500, phase1_id: 62.193.73.40
IKEv2-PLAT-2: (110): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-2: (110): session manager killed ikev2 tunnel. Reason: Internal Error
IKEv2-PLAT-2: (110): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for outgoing active

Jewgeni Uschegow · ‎04-09-2020

Hi,

you have the phase 1 complete:

CONNECTION STATUS: UP... peer: 62.193.73.40:500, phase1_id: 62.193.73.40

...

CONNECTION STATUS: REGISTERED... peer: 62.193.73.40:500, phase1_id: 62.193.73.40

Can you check phase 2 and no-nat configuration?

Regards,