cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1923
Views
1
Helpful
11
Replies

child sa cisoc asa ikev2

bluesea2010
Level 5
Level 5

Hi,

I have multiple network in site  1

1)172.10.10.0/24

2)172.10.20.0/24

site 2 

172.16.10.0/24

192.168.2.0/24

from 172.16.10.0/24 i can reach the 172.10.20.0/24

from 172.16.10.0/24 i can't reach the 172.10.10.0/24

It was working before. everything like acl are in place 

but  show crypto ipsec sa does not show any child sa between 172.16.10.0  and 172.10.10.0/24

Please help

 

11 Replies 11

@bluesea2010  with a policy based VPN you need to generate interesting traffic between 172.16.10.0/172.10.10.0 networks for the IPSec SA to be established. These SAs will be cleared down if idle and no traffic is sent over the tunnel for a period. So just try to generate traffic and see if the tunnel establishes. If not please enable ikev2 debugs and provide the output for review.

 

 

Hi @Rob Ingram 

I sent continues traffic but no child sa created only for this networks  , could you please tell me what is the command need to be run 

Thanks

@bluesea2010 you can just run a ping from an IP address on 172.16.10.x to 172.10.10.x.

If the tunnel was working before, has anything changed?

Turn on IKEv2 debugs and provide the output for review.

Hi @Rob Ingram 

 

 

 

~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2022.10.19 09:11:04 =~=~=~=~=~=~=~=~=~=~=~=
debug crypto condition peer RemotePeerIp

company-Internet-FW# debug crypto ikev2 protocol 127

company-Internet-FW# IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (1256): Action: Action_Null
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (1256): Sending DPD/liveness query
IKEv2-PROTO-2: (1256): Building packet for encryption.
IKEv2-PROTO-2: (1256): Checking if request will fit in peer window
(1256):
IKEv2-PROTO-2: (1256): Sending Packet [To RemotePeerIp:500/From LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1613
(1256): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: RESPONDER (1256): Message id: 1613, length: 80(1256):
Payload contents:
(1256): ENCR(1256): Next payload: NONE, reserved: 0x0, length: 52
(1256): Encrypted data: 48 bytes
(1256):
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: INFO_I_WAIT Event: EV_NO_EVENT
(1256):
IKEv2-PROTO-2: (1256): Received Packet [From RemotePeerIp:500/To LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1613
(1256): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (1256): Message id: 1613, length: 80(1256):
Payload contents:
(1256): REAL Decrypted packet:(1256): Data: 0 bytes
(1256):
(1256): Decrypted packet:(1256): Data: 80 bytes
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (1256): Processing ACK to informational exchange
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1256): Processed response with message id 1613, Requests can be sent from range 1614 to 1614
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064D CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1256): Deleting negotiation context for my message ID: 0x64d
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (1256): Action: Action_Null
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (1256): Sending DPD/liveness query
IKEv2-PROTO-2: (1256): Building packet for encryption.
IKEv2-PROTO-2: (1256): Checking if request will fit in peer window
(1256):
IKEv2-PROTO-2: (1256): Sending Packet [To RemotePeerIp:500/From LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1614
(1256): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: RESPONDER (1256): Message id: 1614, length: 80(1256):
Payload contents:
(1256): ENCR(1256): Next payload: NONE, reserved: 0x0, length: 52
(1256): Encrypted data: 48 bytes
(1256):
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: INFO_I_WAIT Event: EV_NO_EVENT
(1256):
IKEv2-PROTO-2: (1256): Received Packet [From RemotePeerIp:500/To LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1614
(1256): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (1256): Message id: 1614, length: 80(1256):
Payload contents:
(1256): REAL Decrypted packet:(1256): Data: 0 bytes
(1256):
(1256): Decrypted packet:(1256): Data: 80 bytes
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (1256): Processing ACK to informational exchange
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1256): Processed response with message id 1614, Requests can be sent from range 1615 to 1615
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064E CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1256): Deleting negotiation context for my message ID: 0x64e
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (1256): Action: Action_Null
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (1256): Sending DPD/liveness query
IKEv2-PROTO-2: (1256): Building packet for encryption.
IKEv2-PROTO-2: (1256): Checking if request will fit in peer window
(1256):
IKEv2-PROTO-2: (1256): Sending Packet [To RemotePeerIp:500/From LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1615
(1256): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: RESPONDER (1256): Message id: 1615, length: 80(1256):
Payload contents:
(1256): ENCR(1256): Next payload: NONE, reserved: 0x0, length: 52
(1256): Encrypted data: 48 bytes
(1256):
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: INFO_I_WAIT Event: EV_NO_EVENT
(1256):
IKEv2-PROTO-2: (1256): Received Packet [From RemotePeerIp:500/To LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1615
(1256): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (1256): Message id: 1615, length: 80(1256):
Payload contents:
(1256): REAL Decrypted packet:(1256): Data: 0 bytes
(1256):
(1256): Decrypted packet:(1256): Data: 80 bytes
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (1256): Processing ACK to informational exchange
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1256): Processed response with message id 1615, Requests can be sent from range 1616 to 1616
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 0000064F CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1256): Deleting negotiation context for my message ID: 0x64f
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (1256): Action: Action_Null
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (1256): Sending DPD/liveness query
IKEv2-PROTO-2: (1256): Building packet for encryption.
IKEv2-PROTO-2: (1256): Checking if request will fit in peer window
(1256):
IKEv2-PROTO-2: (1256): Sending Packet [To RemotePeerIp:500/From LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1616
(1256): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: RESPONDER (1256): Message id: 1616, length: 80(1256):
Payload contents:
(1256): ENCR(1256): Next payload: NONE, reserved: 0x0, length: 52
(1256): Encrypted data: 48 bytes
(1256):
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(1256):
IKEv2-PROTO-2: (1256): Received Packet [From RemotePeerIp:500/To LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1616
(1256): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (1256): Message id: 1616, length: 80(1256):
Payload contents:
(1256): REAL Decrypted packet:(1256): Data: 0 bytes
(1256):
(1256): Decrypted packet:(1256): Data: 80 bytes
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (1256): Processing ACK to informational exchange
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1256): Processed response with message id 1616, Requests can be sent from range 1617 to 1617
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000650 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1256): Deleting negotiation context for my message ID: 0x650
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (1256): Action: Action_Null
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (1256): Sending DPD/liveness query
IKEv2-PROTO-2: (1256): Building packet for encryption.
IKEv2-PROTO-2: (1256): Checking if request will fit in peer window
(1256):
IKEv2-PROTO-2: (1256): Sending Packet [To RemotePeerIp:500/From LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1617
(1256): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: RESPONDER (1256): Message id: 1617, length: 80(1256):
Payload contents:
(1256): ENCR(1256): Next payload: NONE, reserved: 0x0, length: 52
(1256): Encrypted data: 48 bytes
(1256):
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(1256):
IKEv2-PROTO-2: (1256): Received Packet [From RemotePeerIp:500/To LocalOutsideinterfaceIP:500/VRF i0:f0]
(1256): Initiator SPI : 592C450F22ECBC8D - Responder SPI : 492BDCE90B161B62 Message id: 1617
(1256): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1256): Next payload: ENCR, version: 2.0 (1256): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (1256): Message id: 1617, length: 80(1256):
Payload contents:
(1256): REAL Decrypted packet:(1256): Data: 0 bytes
(1256):
(1256): Decrypted packet:(1256): Data: 80 bytes
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (1256): Processing ACK to informational exchange
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1256): Processed response with message id 1617, Requests can be sent from range 1618 to 1618
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1256): SM Trace-> SA: I_SPI=592C450F22ECBC8D R_SPI=492BDCE90B161B62 (I) MsgID = 00000651 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1256): Deleting negotiation context for my message ID: 0x651
undebug all

company-Internet-FW#

company-Internet-FW#

company-Internet-FW#

company-Internet-FW# debug crypto condition peer RemotePeerIp

company-Internet-FW# debug crypto ikev2 platform 127

company-Internet-FW# IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [OUTSIDE-newIP-18]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000653
IKEv2-PLAT-2: (1256): Crypto map company seq 1 peer doesn't match map entry
IKEv2-PLAT-2: (1256): PROXY MATCH on crypto map company seq 3
IKEv2-PLAT-3: (1256): SENT PKT [CREATE_CHILD_SA] [OUTSIDE-newIP-18]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000025
IKEv2-PLAT-2: (1256): Base MTU get: 0
IKEv2-PLAT-2: (1256): Base MTU get: 0
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000026
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000654
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000655
IKEv2-PLAT-2: (5835): Crypto map company seq 1 peer doesn't match map entry
IKEv2-PLAT-2: (5835): PROXY MATCH on crypto map company seq 3
IKEv2-PLAT-3: (5835): SENT PKT [CREATE_CHILD_SA] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0xac6600768cd949f9 RespSPI=0x6e81357d9748de2f MID=00000093
IKEv2-PLAT-2: (5835): Base MTU get: 0
IKEv2-PLAT-2: (5835): Base MTU get: 0
IKEv2-PLAT-3: (5835): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0xac6600768cd949f9 RespSPI=0x6e81357d9748de2f MID=00000094
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000656
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000657
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000658
IKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=00000659
unIKEv2-PLAT-3: (1256): SENT PKT [INFORMATIONAL] [LocalOutsideinterfaceIP]:500->[RemotePeerIp]:500 InitSPI=0x592c450f22ecbc8d RespSPI=0x492bdce90b161b62 MID=0000065a
debug all

company-Internet-FW#

company-Internet-FW#

company-Internet-FW# undebug all

company-Internet-FW# show crypto ikev2 sa


IKEv2 SAs:

Session-id:6916, Status:UP-ACTIVE, IKE count:2, CHILD count:13

Tunnel-id Local Remote Status Role
329374905 LocalOutsideinterfaceIP/500 RemotePeerIp/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/16191 sec

Tunnel-id Local Remote Status Role
1529811553 LocalOutsideinterfaceIP/500 RemotePeerIp/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/26835 sec
Child sa: local selector 192.168.10.0/0 - 192.168.10.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0x418fb7f4/0xc42c3fc3
Child sa: local selector 192.168.35.0/0 - 192.168.35.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0xcf0ad449/0xc6afbd50
Child sa: local selector 192.168.35.0/0 - 192.168.35.255/65535
remote selector 172.21.21.0/0 - 172.21.21.255/65535
ESP spi in/out: 0x84bf2cf7/0xcfa709f5
Child sa: local selector 192.168.8.0/0 - 192.168.8.255/65535
remote selector 172.21.23.0/0 - 172.21.23.255/65535
<--- More --->

ESP spi in/out: 0xc76fa39c/0xc43ac01a
Child sa: local selector 192.168.8.0/0 - 192.168.8.255/65535
remote selector 172.21.21.0/0 - 172.21.21.255/65535
ESP spi in/out: 0x74b8c810/0xc9308ff4
Child sa: local selector 192.168.10.0/0 - 192.168.10.255/65535
remote selector 172.21.23.0/0 - 172.21.23.255/65535
ESP spi in/out: 0x7b30e001/0xc9518533
Child sa: local selector 172.16.10.0/0 - 172.16.10.255/65535
remote selector 172.21.21.0/0 - 172.21.21.255/65535
ESP spi in/out: 0x76c04ece/0xcca74400
Child sa: local selector 192.168.2.0/0 - 192.168.2.255/65535
remote selector 172.21.21.0/0 - 172.21.21.255/65535
ESP spi in/out: 0x831b96c7/0xcf6941e9
Child sa: local selector 172.16.10.0/0 - 172.16.10.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0xf84e9a61/0xc89476db
Child sa: local selector 192.168.8.0/0 - 192.168.8.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0x1ecf9f5a/0xc1129d1a
Child sa: local selector 10.0.2.0/0 - 10.0.2.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0xb62a9755/0xcb4ef06c
Child sa: local selector 192.168.10.0/0 - 192.168.10.255/65535
remote selector 172.21.21.0/0 - 172.21.21.255/65535
<--- More --->

ESP spi in/out: 0x33c0cf62/0xc06dc49e
Child sa: local selector 192.168.2.0/0 - 192.168.2.255/65535
remote selector 172.21.22.0/0 - 172.21.22.255/65535
ESP spi in/out: 0xb7dbeec9/0xc4d663bf

company-Internet-FW# show crypto ipsec sa peer RemotePeerIp
peer address: RemotePeerIp
Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 10.0.2.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (IT_LAN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 10712, #pkts encrypt: 10712, #pkts digest: 10712
#pkts decaps: 15257, #pkts decrypt: 15257, #pkts verify: 15257
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10712, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CB4EF06C
current inbound spi : B62A9755
<--- More --->

inbound esp sas:
spi: 0xB62A9755 (3056244565)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (89084020/1028)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCB4EF06C (3410948204)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (94207695/1028)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

<--- More --->

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 4072410, #pkts encrypt: 4072410, #pkts digest: 4072410
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4072410, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C4E52459
current inbound spi : C6E755F1

inbound esp sas:
<--- More --->

spi: 0xC6E755F1 (3337049585)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (94207999/0)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xC4E52459 (3303351385)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (88848255/0)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
<--- More --->

remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10862, #pkts decrypt: 10862, #pkts verify: 10862
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C89476DB
current inbound spi : F84E9A61

inbound esp sas:
spi: 0xF84E9A61 (4165900897)
transform: esp-aes-256 esp-sha-256-hmac no compression
<--- More --->

in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (87039970/1038)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xF7DFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC89476DB (3365172955)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (92160000/1038)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.21.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.21.0/255.255.255.0/0/0)
current_peer: RemotePeerIp
<--- More --->


#pkts encaps: 548181, #pkts encrypt: 548181, #pkts digest: 548181
#pkts decaps: 727753, #pkts decrypt: 727753, #pkts verify: 727753
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 548181, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CCA74400
current inbound spi : 76C04ECE

inbound esp sas:
spi: 0x76C04ECE (1992314574)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
<--- More --->

sa timing: remaining key lifetime (kB/sec): (91131619/1587)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFF3FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCCA74400 (3433513984)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (90109894/1587)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255.0 172.21.21.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.21.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


<--- More --->

#pkts encaps: 464257, #pkts encrypt: 464257, #pkts digest: 464257
#pkts decaps: 802045, #pkts decrypt: 802045, #pkts verify: 802045
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 464257, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CF6941E9
current inbound spi : 831B96C7

inbound esp sas:
spi: 0x831B96C7 (2199623367)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (96254344/1323)
IV size: 16 bytes
<--- More --->

replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCF6941E9 (3479781865)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (91134975/1322)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 128060, #pkts encrypt: 128060, #pkts digest: 128060
#pkts decaps: 190074, #pkts decrypt: 190074, #pkts verify: 190074
<--- More --->

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 128060, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CFBD0C2D
current inbound spi : ED2FFD3F

inbound esp sas:
spi: 0xED2FFD3F (3979345215)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (95231963/3592)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
<--- More --->

0xFFFFFFFF 0xFFFDFFFF
outbound esp sas:
spi: 0xCFBD0C2D (3485273133)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (92159983/3592)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.8.0 255.255.255.0 172.21.21.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.21.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 156425, #pkts encrypt: 156425, #pkts digest: 156425
#pkts decaps: 285118, #pkts decrypt: 285118, #pkts verify: 285118
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 156425, #pkts comp failed: 0, #pkts decomp failed: 0
<--- More --->

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C9308FF4
current inbound spi : 74B8C810

inbound esp sas:
spi: 0x74B8C810 (1958266896)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (89087635/2333)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
<--- More --->

spi: 0xC9308FF4 (3375402996)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (90111794/2333)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.8.0 255.255.255.0 172.21.23.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.23.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 227084, #pkts encrypt: 227084, #pkts digest: 227084
#pkts decaps: 253435, #pkts decrypt: 253435, #pkts verify: 253435
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 227084, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
<--- More --->

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C43AC01A
current inbound spi : C76FA39C

inbound esp sas:
spi: 0xC76FA39C (3345982364)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (94205851/2383)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFF7FFF
outbound esp sas:
spi: 0xC43AC01A (3292184602)
transform: esp-aes-256 esp-sha-256-hmac no compression
<--- More --->

in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (93182571/2383)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.8.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 10710, #pkts encrypt: 10719, #pkts digest: 10719
#pkts decaps: 13310, #pkts decrypt: 13310, #pkts verify: 13310
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10710, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 9, #pre-frag failures: 0, #fragments created: 18
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
<--- More --->

#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C1129D1A
current inbound spi : 1ECF9F5A

inbound esp sas:
spi: 0x1ECF9F5A (516923226)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (90111256/1029)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1129D1A (3239222554)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
<--- More --->

sa timing: remaining key lifetime (kB/sec): (93183678/1029)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 172.21.21.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.21.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 353596, #pkts encrypt: 353596, #pkts digest: 353596
#pkts decaps: 536028, #pkts decrypt: 536028, #pkts verify: 536028
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 353596, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

<--- More --->

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C06DC49E
current inbound spi : 33C0CF62

inbound esp sas:
spi: 0x33C0CF62 (868274018)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (93173901/964)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC06DC49E (3228419230)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (92147120/964)
IV size: 16 bytes
<--- More --->

replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 96414, #pkts encrypt: 96414, #pkts digest: 96414
#pkts decaps: 105645, #pkts decrypt: 105645, #pkts verify: 105645
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 96414, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
<--- More --->

PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C42C3FC3
current inbound spi : 418FB7F4

inbound esp sas:
spi: 0x418FB7F4 (1099937780)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (90111930/3493)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC42C3FC3 (3291234243)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (95231955/3493)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
<--- More --->

0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 172.21.23.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.23.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
#pkts decaps: 123, #pkts decrypt: 123, #pkts verify: 123
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 53, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
<--- More --->

current outbound spi: C9518533
current inbound spi : 7B30E001

inbound esp sas:
spi: 0x7B30E001 (2066800641)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (89087852/2167)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC9518533 (3377562931)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (94207997/2167)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

<--- More --->

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 7532, #pkts encrypt: 7532, #pkts digest: 7532
#pkts decaps: 10082, #pkts decrypt: 10082, #pkts verify: 10082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7532, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C6AFBD50
current inbound spi : CF0AD449
<--- More --->

inbound esp sas:
spi: 0xCF0AD449 (3473593417)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (95231997/3476)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000FFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC6AFBD50 (3333406032)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79224832, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (96255998/3476)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

<--- More --->

access-list Outside_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 172.21.21.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.21.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 420874, #pkts encrypt: 420874, #pkts digest: 420874
#pkts decaps: 914209, #pkts decrypt: 914209, #pkts verify: 914209
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 420874, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: RemotePeerIp/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CFA709F5
current inbound spi : 84BF2CF7

inbound esp sas:
<--- More --->

spi: 0x84BF2CF7 (2227121399)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (89087612/3188)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCFA709F5 (3483830773)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: company
sa timing: remaining key lifetime (kB/sec): (96255830/3188)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001


company-Internet-FW#

company-Internet-FW# undebug all

company-Internet-FW#

company-Internet-FW#

company-Internet-FW# sh vpn-sessiondb detail l2l filter name RemotePeerIp
INFO: There are presently no active sessions of the type specified


company-Internet-FW#

company-Internet-FW#

company-Internet-FW#

company-Internet-FW#

Hi

I have attached the debug file

Thanks

@Rob Ingram mention that the tunnel Child SA created when there is traffic and hence child not created then the traffic not pass, 
you mention that you run continues traffic then the issue is routing, 
check RIB to see if the egress interface to 172.10.10.0/24 is interface you config crypto under it. 
do 
show ip route 172.10.10.0/24 longest 

also check the NAT, the encrypt and decrypt counter missing some times when we include the remote LAN in ACL of overload NAT.

Crypto map tag: company, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
<--- More --->

remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: RemotePeerIp


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10862, #pkts decrypt: 10862, #pkts verify: 10862
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

 

IKEv2-PLAT-2: (1256): Crypto map company seq 1 peer doesn't match map entry
IKEv2-PLAT-2: (1256): PROXY MATCH on crypto map company seq 3

 

the debug show that match proxy match seq 3, 
crypto map Seq 3 show only pkts decaps not encaps 
but crypto map seq 3 have ACL 
172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0

which is different than the traffic you test 
from 172.16.10.0/24 i can reach the 172.10.20.0/24
from 172.16.10.0/24 i can't reach the 172.10.10.0/24

that what you must check. 
good Luck 
MHM

 

Hi,

sh crypto ipsec sa showing two sa's 

 

On

The below one no encaps 
Crypto map tag: COMPANY, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: REMOTEPEERIP


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 31299, #pkts decrypt: 31299, #pkts verify: 31299
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
<--- More --->

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: REMOTEPEERIP/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CC1371FB
current inbound spi : A4F7E5BF

inbound esp sas:
spi: 0xA4F7E5BF (2767709631)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: cOMPANY
sa timing: remaining key lifetime (kB/sec): (94207969/950)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCC1371FB (3423826427)
transform: esp-aes-256 esp-sha-256-hmac no compression
<--- More --->

in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 79384576, crypto-map: cOMPANY
sa timing: remaining key lifetime (kB/sec): (89088000/950)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: cOMPANY, seq num: 3, local addr: LocalOutsideinterfaceIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: REMOTEPEERIP

Here showing encaps 
#pkts encaps: 6092387, #pkts encrypt: 6092387, #pkts digest: 6092387
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6092387, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
<--- More --->

#send errors: 0, #recv errors: 0

local crypto endpt.: LocalOutsideinterfaceIP/500, remote crypto endpt.: REMOTEPEERIP/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C4E52459
current inbound spi : C6E755F1

inbound esp sas:
spi: 0xC6E755F1 (3337049585)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: cOMPANY
sa timing: remaining key lifetime (kB/sec): (94207999/0)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xC4E52459 (3303351385)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: cOMPANY
<--- More --->

sa timing: remaining key lifetime (kB/sec): (88729896/0)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Any idea

COMPANY and cOMPANY !!!
can you share the IPsec config ?

Hi,

The domain name was there , I just sanitized the orginal info 

COMPANY and cOMPANY both are same , it was a type when i was sanitizing 

Other networks  I dont have any problem 

Thanks

NeemaM
Level 1
Level 1

Not sure if this is the correct forum or not.  I had a weird issue between S2S connection running Cisco Firepower (ASA module) and Azure VPN.  The tunnel was coming up, but only 1 of the Child sa: local selector was coming up, not the others.  i.e. not the other subnets or segments.  

 

Long story short, it ended up being the IKE Phase 2 (IPsec) configuration.  While the encryption (AES256) and the integrity (SHA256) both matched, the PFS Group ended up being the root cause.  I ended up changing the PFS Group on the Azure side to ECP384, from PFS24, and this did the trick.

Voila.  The other local selector's then populated and access was then working.  I would play with this setting on either side based on one's configuration.