11-03-2020 09:53 AM - edited 11-03-2020 12:07 PM
Cisco experts,
I have been dealing with this for over 2 months at this point, and I cannot find an answer that seems to check out. I am at a loss, support seems a little slow to respond and I really need to resolve this. So I'll start with my configs
crypto ikev2 policy 5 encryption aes-192 integrity sha group 5 prf sha512 sha384 sha256 sha md5 lifetime seconds 86400 crypto ikev2 policy 10 encryption aes256 integrity sha256 group 5 prf sha512 sha384 sha256 sha md5 lifetime seconds 172800 ! crypto ipsec ikev2 ipsec-proposal FORTIGATE_IKEV2 protocol esp encryption aes protocol esp integrity sha-1 ! crypto ipsec profile FORTIGATE_PROFILE set ikev2 ipsec-proposal FORTIGATE_IKEV2 set pfs group5 set security-association lifetime kilobytes unlimited set security-association lifetime seconds 43200 responder-only ! group-policy GROUP_POLICY internal group-policy GROUP_POLICY attributes vpn-tunnel-protocol ikev2 l2tp-ipsec !
tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x general-attributes default-group-policy GROUP_POLICY !
tunnel-group x.x.x.x ipsec-attributes ikev2 remote-authentication pre-shared-key **** ikev2 local-authentication pre-shared-key **** ! ! interface Tunnel98 nameif MBS_MFC ip address y.y.y.y 255.255.255.252 tunnel source interface Outside tunnel destination x.x.x.x tunnel mode ipsec ipv4 tunnel protection ipsec profile FORTIGATE_PROFILE
FortiGate Config:
config vpn ipsec phase1-interface edit "ASA_P1" set interface "wan2" set ike-version 2 set keylife 172800 set peertype any set net-device disable set proposal aes256-sha256 set npu-offload disable set dhgrp 5 set remote-gw x.x.x.x set psksecret *** next end config vpn ipsec phase2-interface edit "ASA_P2" set phase1name "ASA_P1" set proposal aes128-sha1 set dhgrp 5 set keepalive enable next end # Tunnel INterface config system interface edit "ASA-P1" set vdom "root" set ip y.y.y.y 255.255.255.255 set allowaccess ping set type tunnel set remote-ip asa.tunnle.ip.address 255.255.255.252 set snmp-index 13 set interface "wan2" next end
What we're seeing is the tunnel drop at rekeys. It's the strangest thing I have seen.
FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000016 len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E20250000000016000000500000003404355E4C31AA886C0CAD542636D45B84BAEBFB4CFCD3F3599D63A6DE06DBD418383EE507F5C05CE32837E745E68A57FE ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000160000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001600000050000000348EB00CC3E580B4BC42D10FBBB5999D4D2F7A434A9CDB52084E51557084F16C69A85CE95A3D96A9BCE7CD5A029A9FFFB9 ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000016 ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000017 len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000170000005000000034BAEBFB4CFCD3F3599D63A6DE06DBD418E771425B760E6F1981E05931B07A9BEB7133DBAB950B135C8E1A575423E98C6A ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000170000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E20252800000017000000500000003492D6E203CEAB31A95AEE559076A27897DC0654F8817A5C58FC7DAB269F4D85C46E7E9BDD1F53C2670269A71BFBDB7D37 ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000017 ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000018 len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000180000005000000034E771425B760E6F1981E05931B07A9BEB9C92DA49CD8AFA182531B6BD509EE618C8B1184EB178D59A2A22FD31D07E5287 ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000180000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E20252800000018000000500000003495F01C020136C9949FA77A318D6377A831AA63B90BE2617FF7D8F629EFEC42B1387C2BD380824200AB2233D4568AC702 ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000018 ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000019 len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001900000050000000349C92DA49CD8AFA182531B6BD509EE61865E8E4AE49E584D1C4C5E05BC6A16B7A94E453D55170CA4D989D3C9B7BF362AA ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000190000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E202528000000190000005000000034C8F312666A97F415530CE9577AD6802E59AC2A3D8698174074CEDA063817DFA8F1F63A255FA694FD1D66FAB01D296EB5 ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000019 ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001a len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001A000000500000003465E8E4AE49E584D1C4C5E05BC6A16B7A3501C7FBABF3D414023F057ACED30CEEEA59861D924021F04D06E5E9EB00CA8F ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001A0000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001A00000050000000345C08B08E4727C02A9B3D907518F69CBA420AD711B12EAD1F69F38830965DF3587A490F93399AB5EDE3E252B207728C9E ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001a FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43176s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 276-276s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42623 DPD sent/recv: 00000000/00000000 FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001b len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001B00000050000000343501C7FBABF3D414023F057ACED30CEE7E0D0D116E0CC252823048833136F2D4F4D25CDAD2BABA98F82A67885385C703 ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001B0000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001B0000005000000034995146642FF274688E7E191835C2FC54FE08040C809DFB8223D31A8954688BA20C6474A2CC817E11D819E99867B4276A ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001b get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43185s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 285-284s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42615 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43188s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 288-288s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42611 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43190s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 290-290s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42609 DPD sent/recv: 00000000/00000000 FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001c len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001C00000050000000347E0D0D116E0CC252823048833136F2D49A4B0F4B80C88C85F4B3E091C27E01B2481028A483BA4F7636EE68C54C73F89D ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001C0000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001C000000500000003441EC9F6F62368C823D98D5508BA6C4AA91997C7EE3E2B9E92EF966A54709C51E7C0DE622BD64062FA71FE9C089B9902F ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001c get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43194s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 294-294s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42605 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43197s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 297-297s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42602 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43199s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 299-299s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42600 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43200s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 300-300s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42599 DPD sent/recv: 00000000/00000000 FORTIGATE001 # get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43201s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 301-301s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42598 DPD sent/recv: 00000000/00000000 FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001d len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001D00000050000000349A4B0F4B80C88C85F4B3E091C27E01B20AACA18774A61E76FD9E22C769C397DBBC40837314515039DFE2CE394282646F ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001D0000002000000004 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001D0000005000000034F31CD8E07356C9362818A86BD080581C6FBF821E933C6B1D7070A54FBF65B3FD55FD4F10A7CBE7D32E1CEEDBA963D1CE ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001d get vpn ike gateway vd: root/0 name: ASA_P1 version: 2 interface: wan2 8 addr: fortigate.ip:500 -> ASA.ip:500 created: 43205s ago IKE SA created: 1/2 established: 1/2 time: 50/85/120 ms IPsec SA created: 1/3 established: 1/3 time: 50/73/120 ms id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9 direction: initiator status: established 304-304s ago = 50ms proposal: aes-256-sha256 SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69 SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8 lifetime/rekey: 43200/42595 DPD sent/recv: 00000000/00000000 FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001e len=80 ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001E000000502A0000340AACA18774A61E76FD9E22C769C397DBCFD54AE54585CD168C39679271CD06BEF1F0AC9921B0AD9F486EA59799ADA847 ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001E000000282A0000040000000801000000 ike 0:ASA_P1:41338: received informational request ike 0:ASA_P1:41338: processing delete request (proto 1) ike 0:ASA_P1:41338: deleting IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9 ike 0:ASA_P1:41338: schedule delete of IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9 ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001E0000005000000034C944DFB8A5FC5B261E93D65FD5E46496F5B938C879E17A87385F4CECCE001314495374B6BE1A1B9CE783D71E158A15B5 ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001e ike 0:ASA_P1:41338: scheduled delete of IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9 ike 0:ASA_P1: deleting IPsec SA with SPI 720456aa ike 0:ASA_P1:ASA_P2: deleted IPsec SA with SPI 720456aa, SA count: 0 ike 0:ASA_P1: sending SNMP tunnel DOWN trap for ASA_P2 ike 0:ASA_P1: connection expiring due to phase1 down ike 0:ASA_P1: deleting ike 0:ASA_P1: flushing ike 0:ASA_P1: flushed ike 0:ASA_P1: deleted ike 0:ASA_P1: set oper down ike 0:ASA_P1: schedule auto-negotiate ike 0:ASA_P1:ASA_P2: IPsec SA connect 8 fortigate.ip->ASA.ip:0 ike 0:ASA_P1: traffic triggered, serial=15 17:172.30.100.9:18361->17:10.3.221.15:10002 ike 0:ASA_P1:ASA_P2: config found ike 0:ASA_P1: created connection: 0x182a7830 8 fortigate.ip->ASA.ip:500. ike 0:ASA_P1: IPsec SA connect 8 fortigate.ip->ASA.ip:500 negotiating ike 0:ASA_P1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:ASA_P1:41339: out 1BAAE8DCD4E4780100000000000000002120220800000000000001C02200003800000034010100050300000C0100000C800E01000300000802000005030000080300000C0300000804000005000000080400000E28000108000E0000F3B7EC2895E894E4F0074DA259F9E13A9185936AEE18CF51FDB9AB03037EDC2ECE0ED7AE15619C6EF68EAF16193DB0C230B336757959437305BF1CBBEBB527BB840659E14BD7B652DBEE7E8747654F311E6FEA44263CC79B56CB0100506BF40F3E3CD93E8BFB1EE70D9C1668FF983ADA838001D88AEA2193CED81A29E84394CA0AEB444BEA3B4DCD2385EF997B10CB0DD571906CF4025689FB5F2C5D661DB84B4A70A74285DAD6160D235D03B6250C696019A1BB6741F02C96861BE0661EAF87718B77467FC3D5E5062752FD867F86E0317089B6172F57C86E0E0EC11B745BFF3888422A756843F360C0323A484EF0D0E537CE1965B3B1D43D6F747376FEA131290000247029FF3CC9BF16BF93A9326F8D6FC3EB17AAB673990387A17F62A17A71DA46612900001C00004004147A3D9C780029CF3E030EC9DD7E9303FE8D91312900001C00004005473FF097A7F512BB589787B58EBFF105274EAC3A000000080000402E ike 0:ASA_P1:41339: sent IKE msg (SA_INIT): fortigate.ip:500->ASA.ip:500, len=448, id=1baae8dcd4e47801/0000000000000000 ike 0:ASA_P1: carrier down ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=1baae8dcd4e47801/6222384a77d2f9a4 len=679 ike 0: in 1BAAE8DCD4E478016222384A77D2F9A42120222000000000000002A7220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E0000485713DEBDB1EC89FAC9F61999CAC749D48E5EE690251BFE887F8324EAD304D7D64D27B897DA7A5F6CA982B1CFB1CC6694A247DEA0943386E24B98639754ACC06A610632DEE9FF39B2818C4BAC36A47345B675F1981A836479DE5CD2BB087DBA69A6A1A39152A601F2C11D99838BED12FBDDCD23763BF47AB8C8DF6B72C1950BFD5F4D5C3AF67BA6212953B33550B91BD2456FEC27DBECE4DD904519A1D4FEB9DD3C491376EE5A82F66A31890DB04C0ABAC43FAEDB0F55CA22DC417EE8221D5009A9104BC384E89ACAE0ABAA270DDD3FDA2EF680BBB34E71D598C5DA2CF3D03EE2ECD4AC8A0EA5749E4C8E6AC99335DD8CBC00C58C4719376594B6610E8918122B000044092A5B70E9EFD848A843B857F723DA3C98A9D3F968DDDB0B23ACD1EEC0895069252BEE46EC449900644FBED608726EE8E1F9D815D1C99C0042CD8B7634D94D112B000017434953434F2D44454C4554452D524541534F4E2900003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2900001C010040040A4835243A624F13080E384930B8425FA4E358682600001C010040058FA51839F0F37FE25BA305641808444B0E1238F62900006904C89513680197280A2C55C3FCD390F53A053BC9FBC43028C5D3E3080C10448B2C77BA24539760BBF9A1725F261B289843955D0737D585969D4BD2C345632636F6D1C3978DE28FB7710017C0B00CE3C2304F9C7D21799CAD0ED8B90C579F1A0299E790F3872B0000080000402E000000144048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:ASA_P1:41339: initiator received SA_INIT response ike 0:ASA_P1:41339: processing notify type NAT_DETECTION_SOURCE_IP ike 0:ASA_P1:41339: processing NAT-D payload ike 0:ASA_P1:41339: NAT not detected ike 0:ASA_P1:41339: process NAT-D ike 0:ASA_P1:41339: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:ASA_P1:41339: processing NAT-D payload ike 0:ASA_P1:41339: NAT not detected ike 0:ASA_P1:41339: process NAT-D ike 0:ASA_P1:41339: processing notify type FRAGMENTATION_SUPPORTED ike 0:ASA_P1:41339: incoming proposal: ike 0:ASA_P1:41339: proposal id = 1: ike 0:ASA_P1:41339: protocol = IKEv2: ike 0:ASA_P1:41339: encapsulation = IKEv2/none ike 0:ASA_P1:41339: type=ENCR, val=AES_CBC (key_len = 256) ike 0:ASA_P1:41339: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:ASA_P1:41339: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:ASA_P1:41339: type=DH_GROUP, val=MODP2048. ike 0:ASA_P1:41339: matched proposal id 1 ike 0:ASA_P1:41339: proposal id = 1: ike 0:ASA_P1:41339: protocol = IKEv2: ike 0:ASA_P1:41339: encapsulation = IKEv2/none ike 0:ASA_P1:41339: type=ENCR, val=AES_CBC (key_len = 256) ike 0:ASA_P1:41339: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:ASA_P1:41339: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:ASA_P1:41339: type=DH_GROUP, val=MODP2048. ike 0:ASA_P1:41339: lifetime=43200 ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ei 32:65990A7A2B3AAE5F0CAF9CB1B300A3F0765BFBE95CDE804DCA43E20F138E44A6 ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_er 32:D90A7C8134334D8DD9532CFB615F12BF75937B0F84EBAA79D18DEB241636D2B7 ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ai 32:45A9EDAA4963C7BCEEABE7261CE067406EFC9EECC25F5385113E7DE8B81A0A48 ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ar 32:85819CEDACA5AFB80130B3B654694ED81FC51CC49064B53042ED3E0F78A397C3 ike 0:ASA_P1:41339: initiator preparing AUTH msg ike 0:ASA_P1:41339: sending INITIAL-CONTACT ike 0:ASA_P1:41339: enc 2900000C01000000A29B0AA2270000080000400029000028020000006B8A574C4CEB8E74B09EF70F5AEA5B9E956251063455DC841CA8C04DEB78D98621000008000040242C00002C00000028010304033592D1F50300000C0100000C800E0080030000080300000200000008050000002D00002802000000070000100000FFFFAC1E6409AC1E6409070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A03DD0F0A03DD0F070000100000FFFF00000000FFFFFFFF0F0E0D0C0B0A0908070605040302010F ike 0:ASA_P1:41339: out 1BAAE8DCD4E478016222384A77D2F9A42E2023080000000100000110230000F431C270F98F4911F6B13BD59FDB81E9727449EB55F204F173F26B372C289EBAB7E17C7B3E3EFCFC0A57D53AD125A162BFC0F9B7CA4CF74A903A59C85EDB91EDC8594433BE2DB02CFE4ABA30E6617EA5C7DCDF5168CD100127D5563686E7785462E8793BA21C829F969A57902478AB7CDE913572A8553B333E2E433A4C16775F7311522383B160B3BF84528E640BE815FC9F48E22829A258E0CDE8F4DFA9DA5070137E9F23118D1FA4E4E4E63A37D085680CD4A8C8F027A6607A2009CECED17C53CFB83ABA9654A04CB41D11DC677EAE51A0C6B81401956DE52F3099FC5F535AAB63D2C79B061334B6C42B885FFEBE4EC6 ike 0:ASA_P1:41339: sent IKE msg (AUTH): fortigate.ip:500->ASA.ip:500, len=272, id=1baae8dcd4e47801/6222384a77d2f9a4:00000001 ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=1baae8dcd4e47801/6222384a77d2f9a4:00000001 len=256 ike 0: in 1BAAE8DCD4E478016222384A77D2F9A42E20232000000001000001002B0000E4D1193D9931EBB1318042BBFB0886AD433C647D205FF73C3917D59B5C6490243925245C2D005C3701C9C307F4C159EB8487F5309BA646C7FE7CE58646B1CE076B3F44A3D94939761C5387886EB6FF92B4C1A3FF2E859EE2A9769D5571969641091AA11FF570114B7A356321A44457BC4A21D0D6C22662ACBA0717582DD59D3D994F9B127C0BDF6EA1E1B3B424B5990EFA7A75D282090D50BD957B4DA6D3C3BFC100BF204A007339DB736EDB31B82B5DD6C026EFAFF8A612295E80FDBED8B59D194AB9C6FE5BCEB74B91F3D09C8F3824BB867EA24533C84FE58DFD304270463CB1 ike 0:ASA_P1:41339: dec 1BAAE8DCD4E478016222384A77D2F9A42E20232000000001000000D42B000004240000146022394A64E50AE306E7173CC61CB1DD2700000C01000000614CE7322100002802000000F9DC383063256168A6CCAD1F9E7E60F4A8C37DEB8F1564B670AB1EB6E69D623C2C00002C00000028010304038F11EA800300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF2900001801000000070000100000FFFF00000000FFFFFFFF290000080100400A000000080100400B ike 0:ASA_P1:41339: initiator received AUTH msg ike 0:ASA_P1:41339: peer identifier IPV4_ADDR ASA.ip ike 0:ASA_P1:41339: auth verify done ike 0:ASA_P1:41339: initiator AUTH continuation ike 0:ASA_P1:41339: authentication succeeded ike 0:ASA_P1:41339: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED ike 0:ASA_P1:41339: processing notify type NON_FIRST_FRAGMENTS_ALSO ike 0:ASA_P1:41339: established IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 ike 0:ASA_P1: set oper up ike 0:ASA_P1:41339:2070: peer proposal: ike 0:ASA_P1:41339:2070: TSr_0 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:2070: TSi_0 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:ASA_P2:2070: comparing selectors ike 0:ASA_P1:41339:ASA_P2:2070: matched by rfc-rule-2 ike 0:ASA_P1:41339:ASA_P2:2070: phase2 matched by subset ike 0:ASA_P1:41339:ASA_P2:2070: accepted proposal: ike 0:ASA_P1:41339:ASA_P2:2070: TSr_0 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:ASA_P2:2070: TSi_0 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:ASA_P2:2070: autokey ike 0:ASA_P1:41339:ASA_P2:2070: incoming child SA proposal: ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1: ike 0:ASA_P1:41339:ASA_P2:2070: protocol = ESP: ike 0:ASA_P1:41339:ASA_P2:2070: encapsulation = TUNNEL ike 0:ASA_P1:41339:ASA_P2:2070: type=ENCR, val=AES_CBC (key_len = 128) ike 0:ASA_P1:41339:ASA_P2:2070: type=INTEGR, val=SHA ike 0:ASA_P1:41339:ASA_P2:2070: type=ESN, val=NO ike 0:ASA_P1:41339:ASA_P2:2070: PFS is disabled ike 0:ASA_P1:41339:ASA_P2:2070: matched proposal id 1 ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1: ike 0:ASA_P1:41339:ASA_P2:2070: protocol = ESP: ike 0:ASA_P1:41339:ASA_P2:2070: encapsulation = TUNNEL ike 0:ASA_P1:41339:ASA_P2:2070: type=ENCR, val=AES_CBC (key_len = 128) ike 0:ASA_P1:41339:ASA_P2:2070: type=INTEGR, val=SHA ike 0:ASA_P1:41339:ASA_P2:2070: type=ESN, val=NO ike 0:ASA_P1:41339:ASA_P2:2070: PFS is disabled ike 0:ASA_P1:41339:ASA_P2:2070: lifetime=21600 ike 0:ASA_P1:41339:ASA_P2:2070: replay protection enabled ike 0:ASA_P1:41339:ASA_P2:2070: set sa life soft seconds=21298. ike 0:ASA_P1:41339:ASA_P2:2070: set sa life hard seconds=21600. ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA selectors #src=1 #dst=1 ike 0:ASA_P1:41339:ASA_P2:2070: src 0 7 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:ASA_P2:2070: dst 0 7 0:0.0.0.0-255.255.255.255:0 ike 0:ASA_P1:41339:ASA_P2:2070: add IPsec SA: SPIs=3592d1f5/8f11ea80 ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA dec spi 3592d1f5 key 16:C4C909F73615943F0DDCCB54960CCFBE auth 20:66B6BF1BC76CF81885FB13CD2004B1DC84F1D1EA ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA enc spi 8f11ea80 key 16:A62421FCEFCDD1C6297F204DB965C1EF auth 20:460D776FC910B7664CB2F581223D57FBE6433091 ike 0:ASA_P1:41339:ASA_P2:2070: added IPsec SA: SPIs=3592d1f5/8f11ea80 ike 0:ASA_P1:41339:ASA_P2:2070: sending SNMP tunnel UP trap ike 0:ASA_P1: carrier up
Cisco Debugs:
Skipping static map = __vti-crypto-map-9-0-98, seq = 65280: no ACL configured IPSEC DEBUG: No NP inbound permit rule for SPI 0x8F11EA80 IPSEC: Completed host IBSA update, SPI 0x8F11EA80 IPSEC: Creating inbound VPN context, SPI 0x8F11EA80 Flags: 0x00000086 SA : 0x00007f36a2d30f70 SPI : 0x8F11EA80 MTU : 0 bytes VCID : 0x00000000 Peer : 0x009061E4 SCB : 0x37B0EAF3 Channel: 0x00007f368e3a95c0 IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8174) IPSEC: Completed inbound VPN context, SPI 0x8F11EA80 VPN handle: 0x00000000009086fc IPSEC: Updating outbound VPN context 0x009061E4, SPI 0x3592D1F5 Flags: 0x00000085 SA : 0x00007f36a1bbe4b0 SPI : 0x3592D1F5 MTU : 1500 bytes VCID : 0x00000000 Peer : 0x009086FC SCB : 0x37B103B1 Channel: 0x00007f368e3a95c0 IPSEC: Increment SA NP ref counter for outbound SPI 0x3592D1F5, old value: 0, new value: 1, (ctm_ipsec_update_vpn_context:8370) IPSEC: Completed outbound VPN context, SPI 0x3592D1F5 VPN handle: 0x00000000009061e4 IPSEC: Completed outbound inner rule, SPI 0x3592D1F5 Rule ID: 0x00007f36b13765d0 IPSEC: Completed outbound outer SPD rule, SPI 0x3592D1F5 Rule ID: 0x00007f36b13766e0 IPSEC: Decrement SA NP ref counter for outbound SPI 0x3592D1F5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12558) IPSEC: New inbound tunnel flow rule, SPI 0x8F11EA80 Src addr: 0.0.0.0 Src mask: 0.0.0.0 Dst addr: 0.0.0.0 Dst mask: 0.0.0.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: false IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6320) IPSEC: Completed inbound tunnel flow rule, SPI 0x8F11EA80 Rule ID: 0x00007f36a1073680 IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704) IPSEC: New inbound decrypt rule, SPI 0x8F11EA80 Src addr: x.x.x.x Src mask: 255.255.255.255 Dst addr: x.x.x.x Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 50 Use protocol: true SPI: 0x8F11EA80 Use SPI: true IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6482) IPSEC: Completed inbound decrypt rule, SPI 0x8F11EA80 Rule ID: 0x00007f369095a830 IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704) IPSEC: New inbound permit rule, SPI 0x8F11EA80 Src addr: x.x.x.x Src mask: 255.255.255.255 Dst addr: x.x.x.x Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 50 Use protocol: true SPI: 0x8F11EA80 Use SPI: true IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6482) IPSEC: Completed inbound permit rule, SPI 0x8F11EA80 Rule ID: 0x00007f369095a940 IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704) IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12558) IPSEC: Increment SA HW ref counter for inbound SPI 0x8F11EA80, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:805) IKEv2-PLAT-4: Received PFKEY add SA for SPI 0x3592D1F5, error FALSE IPSEC: Added SA to last received DB, SPI: 0x8F11EA80, user: 162.155.10.162, peer: 162.155.10.162, SessionID: 0x0048C000 IPSEC DEBUG: Inbound SA (SPI 0x8F11EA80) state change from embryonic to active IPSEC DEBUG: Outbound SA (SPI 0x3592D1F5) state change from embryonic to active IKEv2-PLAT-4: Received PFKEY update SA for SPI 0x8F11EA80, error FALSE IKEv2-PLAT-4: Success on pfkey update IKEv2-PLAT-4: (950): PSH added CTM sa hdl 121543031 IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC IKEv2-PROTO-7: (950): Action: Action_Null IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT IKEv2-PROTO-4: (950): DPD timer started for 10 secs IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE IKEv2-PROTO-7: (950): Closing the PKI session IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE IKEv2-PROTO-4: (950): Checking for duplicate IKEv2 SA IKEv2-PROTO-4: (950): No duplicate IKEv2 SA found IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK IKEv2-PROTO-4: (950): Starting timer (8 sec) to delete negotiation context IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.6.7.19, sport=1986, daddr=10.3.48.14, dport=41216 IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap. IPSEC(crypto_map_check)-5: Checking crypto map outside_map 2: skipping because 5-tuple does not match ACL outside_cryptomap_1. IPSEC(crypto_map_check)-5: Checking crypto map outside_map 3: skipping because 5-tuple does not match ACL outside_cryptomap_2. IPSEC(crypto_map_check)-5: Checking crypto map outside_map 5: skipping incomplete map. No peer, access-list or transform-set specified. IPSEC(crypto_map_check)-3: Checking crypto map outside_map 6: matched. IKEv2-PROTO-7: (947): Restarting DPD timer 10 secs IKEv2-PROTO-7: (946): Restarting DPD timer 10 secs tuIKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_DEL_NEG_TMO IKEv2-PROTO-7: (950): Deleting negotiation context for peer message ID: 0x1
!Tunnel is down here
Any thoughts? Any help? FortiGate is running FortiOS 6.2.5 and the ASA was running 9.8(4) but was upgraded at TACs request to 9.9(2).
Any help is welcome.
Solved! Go to Solution.
11-11-2020 02:14 PM
Well, what seemed like an eternity, we found the issue. After a lot of debugging, we found this on the ASA:
IKEv2-PLAT-4: (1134): idle timeout disable for VTI session IKEv2-PLAT-4: (1134): session timeout set to: 720
So we looked, and noticed that the group-policy for the tunnel doesn't have a lifetime set. Which means it's inheriting the default group-policy. Which was set to 720 minutes.
When we set:
vpn-session-timeout none
On the group-policy for the VPN tunnel to the FortiGate. The tunnel stopped dropping.
11-03-2020 10:10 AM
Hi @matt.sherif
Probably lifetime timers mismatch.
Whilst your cisco IKEv2 policy 5 has the same lifetime of 172800 as the Fortigate, it won't be used as the encryption algorithms defined are different, so they will match on policy 10 which have different lifetime timers. Modify one of your policies to be exactly the same on the cisco as on the fortigate.
HTH
11-03-2020 10:22 AM
Rob,
Thanks for replying, that was an error when sanitizing the configs. IKEv2 Policy 10 indeed has a 172800 rekey lifetime. I'm just mentally exhausted from trying to address this.
11-03-2020 10:33 AM
Remote peer is behid NAT whcih make idetification change ?
11-03-2020 10:35 AM
Thanks for replying. No neither peer is behind a NAT, as you can see both peers are on public addresses:
FortiGate.IP:500 ---> ASA.IP:500
11-03-2020 11:09 AM
phase 2 encrypt and hash is different in both side make it match.
aes128 to aes.
11-03-2020 11:24 AM
They do match, on Cisco ASA AES is AES 128, on FortiGate you have to specify AES128.
As Evident by this:
ike 0:ASA_P1:41339:ASA_P2:2070: incoming child SA proposal: <--- Incoming proposal from ASA (IKEv2 Policy 10) ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1: ike 0:ASA_P1:41339:ASA_P2:2070: protocol = ESP: ike 0:ASA_P1:41339:ASA_P2:2070: encapsulation = TUNNEL ike 0:ASA_P1:41339:ASA_P2:2070: type=ENCR, val=AES_CBC (key_len = 128) ike 0:ASA_P1:41339:ASA_P2:2070: type=INTEGR, val=SHA ike 0:ASA_P1:41339:ASA_P2:2070: type=ESN, val=NO ike 0:ASA_P1:41339:ASA_P2:2070: PFS is disabled ike 0:ASA_P1:41339:ASA_P2:2070: matched proposal id 1 ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1: ike 0:ASA_P1:41339:ASA_P2:2070: protocol = ESP: ike 0:ASA_P1:41339:ASA_P2:2070: encapsulation = TUNNEL ike 0:ASA_P1:41339:ASA_P2:2070: type=ENCR, val=AES_CBC (key_len = 128) ike 0:ASA_P1:41339:ASA_P2:2070: type=INTEGR, val=SHA ike 0:ASA_P1:41339:ASA_P2:2070: type=ESN, val=NO ike 0:ASA_P1:41339:ASA_P2:2070: PFS is disabled ike 0:ASA_P1:41339:ASA_P2:2070: lifetime=21600
If they didn't match the Tunnel wouldn't form at all. This is not the problem I am having.
11-03-2020 11:59 AM - edited 11-05-2020 06:28 AM
......
11-03-2020 12:09 PM
Where does it say tunnel type is L2TP-IPSEC? That's the group policy.
11-03-2020 12:30 PM
check the config I send VPN-tunnel-protocol was L2TP-IPSec i only delete it, and add tunnel type IPSec L2L.
11-03-2020 12:27 PM
group-policy group_policy attributes
von-tunnel-protocol ikev2
tunnel-group x.x.x.x type ipsec-l2l <----- ipsec-lan-2-lan, so site to site. No?
11-03-2020 01:25 PM - edited 11-05-2020 06:29 AM
.....
11-03-2020 01:26 PM
under fortigate for ip-in-ip selector
set protocol 4
11-04-2020 08:31 AM
There is no IP-in-IP tunnel in this scenario. Where did you get that idea from?
11-04-2020 09:36 AM - edited 11-05-2020 06:29 AM
.....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide