Solved: Re: ASA to Palo Alto VPN - Page 3

irbk · ‎02-08-2024

Hello Experts!

I'm setting up a new vpn tunnel to a partner. ASA on our side Palo Alto on theirs. When the tunnel connects, it seems to run fine. However, should the tunnel go down, it will not come back up unless they initiate the traffic. They claim that both sides can initiate traffic but my logs seem to disagree. It looks to me like we send a packet to them to establish the tunnel, wait, don't get any response, so we try again, wait, don't get any response so we try again, until we just finally give up. Can you see something different in the logs?

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (1773): Setting configured policies
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (1773): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (1773): Request queued for computation of DH key
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (1773): Action: Action_Null
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (1773): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (1773): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 3, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA256(1773): SHA256(1773): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (1773): IKE Proposal: 4, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA512(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 5, SPI size: 0 (initial negotiation),
Num. transforms: 8
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): MD5(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 6, SPI size: 0 (initial negotiation),
Num. transforms: 8
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): MD5(1773): SHA512(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 7, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA256(1773): SHA1(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 8, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA256(1773): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (1773): IKE Proposal: 9, SPI size: 0 (initial negotiation),
Num. transforms: 7
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): SHA512(1773): DH_GROUP_521_ECP/Group 21IKEv2-PROTO-4: (1773): IKE Proposal: 10, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 11, SPI size: 0 (initial negotiation),
Num. transforms: 7
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): SHA256(1773): DH_GROUP_384_ECP/Group 20IKEv2-PROTO-4: (1773): IKE Proposal: 12, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 13, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): 3DES(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 14, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): DES(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):
Payload contents:
(1773): SA(1773): Next payload: KE, reserved: 0x0, length: 772
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 76
Proposal: 5, Protocol id: IKE, SPI size: 0, #trans: 8(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 76
Proposal: 6, Protocol id: IKE, SPI size: 0, #trans: 8(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 7, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 8, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1773): last proposal: 0x2, reserved: 0x0, length: 68
Proposal: 9, Protocol id: IKE, SPI size: 0, #trans: 7(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 10, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 68
Proposal: 11, Protocol id: IKE, SPI size: 0, #trans: 7(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 12, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 13, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 14, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): KE(1773): Next payload: N, reserved: 0x0, length: 200
(1773): DH group: 5, Reserved: 0x0
(1773):
(1773): 54 8a 75 ca 48 5d 15 44 19 5b fc 78 37 4a dc 08
(1773): 67 02 18 f1 33 d4 78 60 00 9c 07 0d ba 2e 0a a7
(1773): da f4 80 8b b9 0f ef 2b fc ed 69 85 92 1f 18 1d
(1773): 71 32 83 a0 b6 c1 db fa aa e1 7d 95 47 12 d4 6e
(1773): 47 6c c8 1e 05 f9 f5 8c 95 6a 7b bf 2f 96 fc a9
(1773): a2 9e e8 4b 84 9c d4 aa 01 1c d4 ff 64 7a c7 e9
(1773): 03 f0 f5 c0 09 d2 c4 25 a9 65 a6 85 fb 2b 1b 8c
(1773): 80 54 41 c3 a7 03 4b 8d 88 09 b1 bf 1e 1e 5b 79
(1773): 92 e3 0e 18 32 b1 f7 e0 ae ef 1f 8b f0 2e 9a 9e
(1773): 7c b0 6c 3a b6 1f 5f a7 50 52 6c 6c ca 7c 68 29
(1773): 51 89 b7 ff 02 9b 89 1e 03 f7 5a 88 da f1 f8 a1
(1773): 85 49 ed df 63 b1 70 40 3e 21 b0 e4 71 e3 bb 49
(1773): N(1773): Next payload: VID, reserved: 0x0, length: 68
(1773):
(1773): 6a 08 4f 40 76 39 b7 35 0c 2b a9 8d 10 69 87 3c
(1773): 37 24 08 68 c0 28 3c f5 f8 40 bd 97 f6 8b 9f bd
(1773): 25 a4 09 a8 6f f5 72 7a a9 73 a9 bf f6 e2 43 00
(1773): ee b0 92 b7 81 fe d0 88 4e 2a e1 a8 a9 fd 45 72
(1773): VID(1773): Next payload: VID, reserved: 0x0, length: 23
(1773):
(1773): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(1773): 53 4f 4e
(1773): VID(1773): Next payload: NOTIFY, reserved: 0x0, length: 59
(1773):
(1773): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(1773): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(1773): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(1773): 73 2c 20 49 6e 63 2e
(1773): NOTIFY(NAT_DETECTION_SOURCE_IP)(1773): Next payload: NOTIFY, reserved: 0x0, length: 28
(1773): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(1773):
(1773): b1 b8 6f 4e 95 e9 35 4b de f2 e1 ae 79 50 06 12
(1773): d8 81 e9 62
(1773): NOTIFY(NAT_DETECTION_DESTINATION_IP)(1773): Next payload: NOTIFY, reserved: 0x0, length: 28
(1773): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(1773):
(1773): ce 20 67 9b db 8a d3 da 7e 1e 59 a7 4f 74 af d9
(1773): c6 4c c1 59
(1773): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(1773): Next payload: VID, reserved: 0x0, length: 8
(1773): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(1773): VID(1773): Next payload: NONE, reserved: 0x0, length: 20
(1773):
(1773): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1773):
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (1773): Insert SA
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet

For the sake of space, I'll summarize from here on....

(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-2: (1773): Maximum number of retransmissions reached
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (1773): Failed SA init exchange
IKEv2-PROTO-2: (1773): Initial exchange failed
IKEv2-PROTO-2: (1773): Initial exchange failed
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (1773): Abort exchange
IKEv2-PROTO-4: (1773): Deleting SA

Am I missing something? TIA!

Aref Alsouqi · ‎02-16-2024

Ask the Palo team please to provide the sanitized screenshots of IKE crypto profile, IPsec crypto profile, IKE gateway, and IPsec tunnel for review. Also, ask them please if they have any access list applied to the external interface of the Palo, if so, what they allowed in terms of traffic from your public IP, as well as any NAT rule related to the VPN traffic. Without having full visibility of the configs on both sides we would go in circles. If the issue only presents when you are the initiator, it could be related to something they are blocking on their side, it could be an access list that is not allowing port 500/udp and 4500/udp.

irbk · ‎02-16-2024

@Aref Alsouqi I have previously asked but I was not provided with the information. I've told them multiple times, providing them multiple logs, showing that when we try to initiate the connection, we are frequently not getting a response back from them.

The weird thing is, sometimes we can be the initiator and we connect just fine. So I don't think that it's an ACL on their side not allowing the traffic through. If that were the case, then we'd never be able to initiate the connection. It's just like 2/3rds of the time they ignore traffic from us. So very weird.

Aref Alsouqi · ‎02-16-2024

That's not good : - D. Yeah, you're right if it works sometimes but not others it wouldn't be the ACL or the config. However, this leads me to think again that the issue could be related to asymmetric routing somewhere and this could potentially be the issue why we see more encaps than decaps.

irbk · ‎02-16-2024

That would have to be on their side? I don't see how it could be on mine. My config is pretty simple.

Aref Alsouqi · ‎02-16-2024

I would agree with this.

irbk · ‎02-16-2024

Then there is the Runt ISAKMP issue. Sometimes when we get responses from them, I get a lot of "Runt ISAKMP packet discarded on Port 500 from 52.x.x.x" so it's like it's trying to send stuff back to me but it's garbled.

Aref Alsouqi · ‎02-16-2024

That again could suggest there is something wrong on the path in terms of traffic delivery. I would try to ask them how their network topology look like, and tell them that there might be asymmetric routing at somewhere. In these cases receiving reciprocal collaboration from their team is crucial.

MHM Cisco World · ‎02-16-2024

when issue appear again
share
show crypto isakmp sa
show crypto ikev2 sa
show crypto ipsec sa <<- I need additionally to know the SPI forti use in other side

MHM

irbk · ‎02-16-2024

Currently having the issue and nothing shows for those commands currently. Even in the middle of attempting to establish the session I get no responses for those when filtered to the partner IP.

irbk · ‎02-16-2024

Additionally I'm seeing a lot of "IKE Receiver: Runt ISAKMP packet discarded on port 500 from 52.x.x.x"

irbk · ‎02-16-2024

MHM Cisco World · ‎02-16-2024

if the Phase1 is expired then we can see such as these drop
sorry can you try share
show crypto isakmp sa
check the isakmp status
MHM

irbk · ‎02-16-2024

There is nothing showing for a show isakmp sa for the tunnel. (Edited output to show we've got several other tunnels up but nothing to 52.x.x.x)

show crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 92.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 209.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

IKEv2 SAs:

Session-id:27805990, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3330524761 173.xxx/500 40.xxx/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/33083 sec
Child sa: local selector 10.xxx/0 - 10.xxx/65535
remote selector 172.xxx/0 - 172.xxx/65535
ESP spi in/out: 0x81261ecd/0x98b6b662
<--- More --->
IKEv2 SAs:

Session-id:27806043, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3517827535 173.xxx/500 41.xxx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/744 sec
Child sa: local selector 173.xxx/0 - 173.xxx/65535
remote selector 10.xxx/0 - 10.xxx/65535
ESP spi in/out: 0xb5668c86/0xd0451ac3

IKEv2 SAs:

Session-id:27805502, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role
3418743495 173.xxx/500 51.xxx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/10190 sec
Child sa: local selector 173.xxx/0 - 173.xxx/65535
remote selector 10.xxx/0 - 10.xxx/65535
ESP spi in/out: 0xf2f3e7a6/0x200006d
<--- More ---> Child sa: local selector 173.237.156.202/0 - 173.237.156.202/65535
remote selector 10.xxx/0 - 10.xxx/65535
ESP spi in/out: 0x19561c9d/0x20010ad

IKEv2 SAs:

Session-id:27805822, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3404799685 173.xxx/4500 83.xxx/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/16102 sec
Child sa: local selector 173.xxx/0 - 173.xxx/65535
remote selector 10.xxx/0 - 10.xxx/65535
ESP spi in/out: 0x18089b43/0xe4697dea

MHM Cisco World · ‎02-18-2024

1-debug crypto condition peer x.x.x.x

debug crypto ikev2 protocol 127

debug crypto ikev2 platform 127

2- show crypto ikev2 stats

3-

ciscoasa(config)# show crypto ipsec stats

share output of above command,
note:- the condition we use in router to make us see only debug for specific peer
note:- the condition with reset keyword return the condition to default (all peer all conditions)
note:- for debug dont use both command in same time, use one debug packets then disable it and debug other one
this make it easy to us to see two different separate debug not mix

also I review your info. you share, I see there is 4500 and 500 UDP ports, are this ASA behind NAT device ? are this ASA behind another FW device ?

thanks for waiting
MHM

irbk · ‎02-19-2024

@MHM Cisco World When I get permission to bring the tunnel down again and we are having the issues, I'll catch those logs for you. Right now it's up and the development team needs it to stay up. As for the ASA being behind a NAT device, no, not that I'm aware of. We are in a dedicated data center and they route traffic too us but I don't believe there is any NATing before us. There isn't another firewall doing any filtering before us either. As for the PA side, I'm unsure.