07-22-2017 11:17 PM
HI
recently i migrated from old ASA firewall with new ASA 5525X... all tunnels are working fine except the tunnel with AWS. i am getting error messages
on PRTG
1. |
10.0.200.11(AWS) Ping 15 (Ping) Down ESCALATION (Request timed out (ICMP error # 11010)) |
Tunnel with AWS is UP since 18 hours, but these messages keep coming and i am not able to access the services on AWS.
at ASA log i got the log message
IPSEC: Received an ESP packet (SPI= 0xF3FA3CB9, sequence number= 0xA2) from 1.1.1.1 AWS LIVE IP (user= 1.1.1.1) to FW-Outside-2.2.2.2 The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as UTIL-172.20.10.82, its source as 10.0.200.10, and its protocol as icmp. The SA specifies its local proxy as User-VLAN-192.168.1.0/255.255.255.0/ip/0 and its remote_proxy as VPC_Subnet/255.255.0.0/ip/0.
note: i changed the LIVE IP of AWS and firewall with 1.1.1.1 & 2.2.2.2
RMGVASA01/act/pri# sh crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2
access-list acl-amzn extended permit ip 172.20.10.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (Server-VLAN-172.20.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 75770, #pkts encrypt: 75770, #pkts digest: 75770
#pkts decaps: 59437, #pkts decrypt: 58542, #pkts verify: 58542
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 75770, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 895
local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F80FFE30
current inbound spi : D1CE0C2E
inbound esp sas:
spi: 0xD1CE0C2E (3519941678)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373880/2072)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFF7FF 0xFFFDFFFF 0xFDFFBFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF80FFE30 (4161797680)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373845/2072)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2
access-list acl-amzn extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (User-VLAN-192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3976, #pkts encrypt: 3976, #pkts digest: 3976
#pkts decaps: 19408, #pkts decrypt: 4045, #pkts verify: 4045
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3976, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 15363
local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D8236A04
current inbound spi : F3FA3CB9
inbound esp sas:
spi: 0xF3FA3CB9 (4093263033)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373972/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00100000 0x00000000 0x000001FD 0xC0000000
outbound esp sas:
spi: 0xD8236A04 (3626199556)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373967/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2
access-list acl-amzn extended permit ip 192.168.58.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (WiFi-192.168.58.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
#pkts decaps: 1612, #pkts decrypt: 113, #pkts verify: 113
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 1499
local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A1D1F683
current inbound spi : 944B27C3
inbound esp sas:
spi: 0x944B27C3 (2487953347)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4374000/2713)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
outbound esp sas:
spi: 0xA1D1F683 (2714891907)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4374000/2713)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
07-25-2017 01:32 PM
Hi hashimwajid1,
The issue more seems to be at AWS side. AWS is sending the traffic with wrong SPI. According to the error message AWS sending the packet with SPI=0xF3FA3CB9.
IPSEC: Received an ESP packet (SPI= 0xF3FA3CB9, sequence number= 0xA2) from 1.1.1.1 AWS LIVE IP (user= 1.1.1.1) to FW-Outside-2.2.2.2 The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as UTIL-172.20.10.82, its source as 10.0.200.10, and its protocol as icmp. The SA specifies its local proxy as User-VLAN-192.168.1.0/255.255.255.0/ip/0 and its remote_proxy as VPC_Subnet/255.255.0.0/ip/0.
Which is the INBOUND SPI for
local ident (addr/mask/prot/port): (User-VLAN-192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3976, #pkts encrypt: 3976, #pkts digest: 3976
#pkts decaps: 19408, #pkts decrypt: 4045, #pkts verify: 4045
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3976, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 15363
local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D8236A04
current inbound spi : F3FA3CB9
inbound esp sas:
spi: 0xF3FA3CB9 (4093263033)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373972/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00100000 0x00000000 0x000001FD 0xC0000000
outbound esp sas:
spi: 0xD8236A04 (3626199556)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373967/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
It should be
inbound esp sas:
spi: 0xD1CE0C2E (3519941678)
You need to check your AWS side settings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide