06-13-2023 11:05 AM
I'm encountering an issue with an IKEv2 setup where the authentication exchange fails and I receive the error message: "Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2 : Received an IKE msg id outside supported window".
I am trying to establish an IPSEC VPN tunnel between AWS and a Cisco C1111-8PLTEEA running Cisco IOS XE Software, Version 17.03.04a.
**Please note, I can establish a VPN between this router and AWS when using the standard shared secret authentication method. I only have these problems when using certificate authentication. AWS Support states the authentication is working (noted below).**
I have been reading about IKEv2 and trying out different things in the Cisco configuration related to IKEv2 and IPSEC fragmentation, but I have had no luck.
Any assistance is greatly appreciated!
**Cisco Debug Output**
```
Jun 12 09:49:24.788: IKEv2-ERROR:(SESSION ID = 1,SA ID = 5):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window
Jun 12 09:49:24.788: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 18.218.X.X:4500/To 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange RESPON
C12345R1#SE
Jun 12 09:49:24.788: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 2556
Jun 12 09:49:26.559: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 5):SM Trace-> SA: I_SPI=A47449A2BD1AE71A R_SPI=5A1E2DF2291B6E9D (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Jun 12 09:49:26.560: IKEv2:(SESSION ID = 1,SA ID = 5):Retransmitting packet
Jun 12 09:49:26.560: IKEv2:(SESSION ID = 1,SA ID = 5):Sending Packet [To 18.218.X.X:4500/From 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Jun 12 09:49:26.560: IKEv2-PAK:(SESSION ID = 1,SA ID = 5):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1820
Payload contents:
ENCR Next payload: VID, reserved: 0x0, length: 1792
Jun 12 09:49:26.561: IKE
C12345R1#v2-INTERNAL:(SESSION ID = 1,SA ID = 5):SM Trace-> SA: I_SPI=A47449A2BD1AE71A R_SPI=5A1E2DF2291B6E9D (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
Jun 12 09:49:26.649: IKEv2-ERROR:(SESSION ID = 1,SA ID = 5):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window
Jun 12 09:49:26.650: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 18.218.X.X:4500/To 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Jun 12 09:49:26.650: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 2556
Jun 12 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Jun 12
C12345R1# 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT_EXCEED
Jun 12 09:49:29.372: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached
Jun 12 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL
Jun 12 09:49:29.372: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
Jun 12 09:49:29.372: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_ABORT
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: E
C12345R1#V_CHK_PENDING_ABORT
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_CHK_GKM
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_UPDATE_CAC_STATS
Jun 12 09:49:29.373: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Jun 12 09:49:29.373: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
```
**AWS DEBUG (Provided by AWS Support Team)**
```
2023-06-12 21:53:22.890 24.106.X.X is initiating an IKE_SA
2023-06-12 21:53:22.892 sending cert request for <CERT REDACTED>
2023-06-12 21:53:22.892 sending cert request for <CERT REDACTED>
2023-06-12 21:53:22.892 sending packet to 24.106.X.X[500]
2023-06-12 21:53:22.985 received end entity cert "CN=X.io"
2023-06-12 21:53:22.985 looking for peer configs matching 24.106.X.X[X.io]
2023-06-12 21:53:22.985 using certificate "CN=X.io"
2023-06-12 21:53:22.985 using trusted intermediate ca certificate <CERT REDACTED>
2023-06-12 21:53:22.985 checking certificate status of "CN=X.io"
2023-06-12 21:53:22.985 reached self-signed root ca with a path length of 1
2023-06-12 21:53:22.985 authentication of 'X.io' with RSA signature successful
2023-06-12 21:53:22.986 authentication of 'CN=vpn-X.endpoint-0' (myself) with RSA signature successful
2023-06-12 21:53:22.986 destroying duplicate IKE_SA for peer 'X.io', received INITIAL_CONTACT
2023-06-12 21:53:23.231 IKE_SA established between [CN=vpn-X.endpoint-0]...24.106.X.X[X.io] <== Phase-1 established
2023-06-12 21:53:23.232 sending end entity cert "CN=vpn-X.endpoint-0"
2023-06-12 21:53:23.232 sending issuer cert <CERT REDACTED>
2023-06-12 21:53:23.232 selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
2023-06-12 21:53:23.233 CHILD_SA established with SPIs cacf4f07_i a8b7c369_o and TS 0.0.0.0/0 === 0.0.0.0/0 <== Phase-2 established
2023-06-12 21:53:23.495 received retransmit of request with ID 1 <=== IKE_AUTH request 1
2023-06-12 21:53:23.495 sending packet to 24.106.X.X[4500] <=== resent the IKE_AUTH
2023-06-12 21:53:25.375 received retransmit of request with ID 1
2023-06-12 21:53:25.375 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:29.248 received retransmit of request with ID 1
2023-06-12 21:53:29.248 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:36.681 received retransmit of request with ID 1
2023-06-12 21:53:36.681 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:42.892 sending keep alive to 24.106.X.X[4500]
2023-06-12 21:53:47.232 sending DPD request
2023-06-12 21:53:47.232 generating INFORMATIONAL request 0 [ ]
2023-06-12 21:53:47.232 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:51.334 received retransmit of request with ID 1
2023-06-12 21:53:51.334 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:52.889 received Cisco Delete Reason vendor ID <=== CGW bring down the Tunnel
2023-06-12 21:53:52.889 received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
2023-06-12 21:53:52.889 received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
2023-06-12 21:53:52.889 received Cisco FlexVPN Supported vendor ID
```
**AWS Notes**
I can see that authentication was successful but the CGW keep request to resend the Phase-1 Authentication, after awhile, the CGW torn
Can you please check why the CGW request to retransmiss the Phase-1 authentication? I also believe the cert setup is correct as we do not see issue with Authentication Failed.
**Cisco Configuration (Relevant Sections)**
```
crypto pki trustpoint AWSVPNCert
enrollment pkcs12
usage ike
fqdn X.io
subject-name CN=X.io
subject-alt-name X.io
revocation-check none
rsakeypair AWSVPNCert
!
crypto pki trustpoint AWSVPNCert-rrr1
revocation-check none
!
!
!
crypto pki certificate map AWSVPNCert 10
subject-name co vpn-X.endpoint-0
!
crypto pki certificate chain AWSVPNCert
certificate 00BB42667CDD1117BED5D136A8221FAE2A
308203C3
...
certificate ca 543539C4284EBA5D13C1FEC18665700A
3082041A
...
crypto pki certificate chain AWSVPNCert-rrr1
certificate ca 3FD703D2A83CF19C25B2CED41D9425A4
308203F4
...
crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy POLICY1
match fvrf any
proposal PROPOSAL1
!
!
crypto ikev2 profile IKEV2-PROFILE
match certificate AWSVPNCert
identity local fqdn X.io
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint AWSVPNCert
lifetime 28800
dpd 10 10 periodic
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set awsvpntransform esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-X-0
set transform-set awsvpntransform
set pfs group2
set ikev2-profile IKEV2-PROFILE
!
interface Tunnel1
ip address 169.254.221.170 255.255.255.252
ip tcp adjust-mss 1379
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 18.218.X.X
tunnel protection ipsec profile ipsec-vpn-X-0
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
ip address 24.106.X.X 255.255.X.X
negotiation auto
!
```
Solved! Go to Solution.
06-13-2023 11:38 PM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76988
M.
06-13-2023 11:38 PM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76988
M.
06-14-2023 03:32 AM
Thank you! Thank you! Thank you! Tunnels now UP!
12-13-2023 05:19 AM
Hello, I tried to adjust or disable fragmentation to no avail. I continue receiving the same error. Any advice?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide