Connectivity Issue with Site-2-Site VPN

Eric23 · ‎05-24-2022

Dear all,

I'm facing a problem regarding a s2s vpn connectivity at phase 2 its seems that is working with some protected networks but not with the below one also for this specific network we are doing nat because of overlap network:

FTD-site:

Session-id:2527, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
6722355 32.167.50.132/500 191.200.200.1/500 READY RESPONDER

FTD-1# sh crypto ipsec sa peer 191.200.200.1

There are no ipsec sas for peer 191.200.200.1

IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x9B4997A5)
IPSEC DEBUG: Inbound SA (SPI 0x9B4997A5) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x9B4997A5) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0xBFD2819D
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x9B4997A5) free completed
IPSEC DEBUG: Inbound SA (SPI 0x9B4997A5) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F891E20)
IPSEC DEBUG: Inbound SA (SPI 0x3F891E20) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x3F891E20) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0xADC11311
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x3F891E20) free completed
IPSEC DEBUG: Inbound SA (SPI 0x3F891E20) destroy completed
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F891E20)
IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b9ba48ea840, priority=70, domain=encrypt, deny=false
hits=45, user_data=0x0, cs_id=0x2b9bae3bd320, reverse, flags=0x0, protocol=0
src ip/id=10.20.200.48, mask=255.255.255.240, port=0, tag=any
dst ip/id=190.88.162.0, mask=255.255.254.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055c5984bcd37 flow (need-ike)/snp_sp_action_cb:1575

Forti site:

name=FTDGW1-TU1 ver=2 serial=4 191.200.200.1:0->32.167.50.132:0 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=2 child_num=0 refcnt=11 ilast=1 olast=1 ad=/0
stat: rxp=46965 txp=39018 rxb=21301116 txb=2933468
dpd: mode=on-idle on=1 idle=5000ms retry=6 count=0 seqno=1273608
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FTD-Phase-190.88.162.PROPOSAL1 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:190.88.162.0/255.255.254.0:0
dst: 0:10.20.200.48/255.255.255.240:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=1070/0B replaywin=2048
seqno=4 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3302/3600
dec: spi=e72700e1 esp=aes key=32 8f693d65a775bf6f9a8acdcb3805a4fae834ed7c6edc516c5fbf44a2a44eb73a
ah=sha256 key=32 efcdb8405a93e085cee5daa508dd594931fc80fa4bf198d72a8a4396e621a36c
enc: spi=73317b7a esp=aes key=32 0bbbebe98c1692e2501f3b60196c1832cd9ec06f472daae32aae65584284f746
ah=sha256 key=32 3bfe248524b95208a2f8c16929c4c90470385a9e10cfb5b41619a6da4a2278c3
dec:pkts/bytes=0/0, enc:pkts/bytes=3/372
npu_flag=00 npu_rgwy=32.167.50.132 npu_lgwy=191.200.200.1 npu_selid=1e dec_npuid=0 enc_npuid=0
proxyid=FTD-Phase-91.211.25.PROPOSAL1 proto=0 sa=1 ref=2 serial=3 auto-negotiate
src: 0:91.211.25.0/255.255.255.0:0
dst: 0:10.20.200.48/255.255.255.240:0
SA: ref=3 options=18027 type=00 soft=0 mtu=1438 expire=2821/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3302/3600
dec: spi=e727029a esp=aes key=32 ec52f209d78f1600673fdc7bc0c507082391559010d9db7ee7a087ea47c8fbbc
ah=sha256 key=32 a41e5bb5e4524b477bf7c96a3c314c776fa58b8606324da2dc8155b8e057c263
enc: spi=55ccad8b esp=aes key=32 4646ce6205f07712cff2a4fa356f4b4b76c12f99356b182737d165416cfa398c
ah=sha256 key=32 82f0a6fae6f7f577b8ebebc8c370b99726020b0f5e4f1b85701db5a55167022f
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=32.167.50.132 npu_lgwy=191.200.200.1 npu_selid=39 dec_npuid=0 enc_npuid=0
run_tally=1

Any ideas ....

Thank you.

MHM Cisco World · ‎05-24-2022

There is conflict in NAT or you use real Ip not Map in acl policy ipsec.

Sheraz.Salim · ‎05-24-2022

I guess you have a miss match of Phase 2 somewhere. Are you running IKEV2?

IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters

From you ASA sending traffic to

src ip/id=10.20.200.48, mask=255.255.255.240, port=0, tag=any
dst ip/id=190.88.162.0, mask=255.255.254.0, port=0, tag=any, dscp=0x0

On fortinet we see the logs

proxyid=FTD-Phase-190.88.162.PROPOSAL1 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:190.88.162.0/255.255.254.0:0
dst: 0:10.20.200.48/255.255.255.240:0

sa=1 IPsec SA is matching and there is traffic between the selectors.

Here Fortinet is sending the traffic. which means you Fortinet must be the VPN initator. on the other end of the FTD we see the log Invalid PF_Key DELETE. you must be miss-matching the phase2 config.

for the overlap network you transalte them to a different IP subnet. These subnet are in crypto ACL?

please do not forget to rate.

Eric23 · ‎05-26-2022

Hello and thank you for the answers.....

The problem was with PFS config setup ...