Solved: Re: Crypto Ikev2 stuck In-Neg state ,Maximum number of retransmissions

shyamradhe · ‎10-03-2022

Hello EXperts,

We have issue at one of our Cutomer Router (C1111-4p) , where we have Set Tunel 0 with Ipsec , with VTI tunnel on remote side, Suddenly tunnel is down(was working eralier) , reachability is fine form both end , no ACL in path . We can not raise TAC due to device is not under any contract . below is debug , please help to resolve this issue

MHM Cisco World · ‎10-06-2022

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
this I think is bug
System Resource Limit: 0 <<- this not Zero

sorry for late reply and check the bug detail

View solution in original post

MHM Cisco World · ‎10-03-2022

you need to config PFS in Phase2 of IKEv2 to make tunnel build child crypto

shyamradhe · ‎10-03-2022

Thanks , but I guess its already there ,

MHM Cisco World · ‎10-03-2022

OK,
other side use same PFS group 16 ?
what is ver. you run in your router ?

shyamradhe · ‎10-04-2022

Yes Other side is also using same PFS group 16 ,

Version - Cisco IOS XE Software, Version 16.09.05
c1100-universalk9_ias.16.09.05.SPA.bin

Sheraz.Salim · ‎10-03-2022

Oct 3 14:09:42: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Maximum number of retransmissions reached

Responder SPI : 0000000000000000 Message id: 0

seems like the remote router is acting as duck. does not respond to your control plane messages.

Is there a cert invlove and is it still vaild? could you run the command debug crypto pki transactions and show the output. does remote side did a cert-renewal if they did you have root and inter cert. I have seem similar issues where

*Oct 3 14:09:42.404: IKEv2:(SESSION ID = 16,SA ID = 1):Abort exchange
*Oct 3 14:09:42.405: IKEv2:(SESSION ID = 16,SA ID = 1):Deleting SA
*Oct 3 14:09:42.405: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Oct 3 14:09:42.405: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

the remote side did a cert renewal with same CA but issue occured due to different CA chain (for example Inter-CA) is different.

please do not forget to rate.

shyamradhe · ‎10-04-2022

Thanks , I have tried to renew the certificate , but still having same issue.

Sheraz.Salim · ‎10-04-2022

as the process of elimination could you put both routers as PSK and take off the PKI cert and test it?

please do not forget to rate.

shyamradhe · ‎10-04-2022

unfortunately i can't do this , due to limited access of customer HUB end router ..

MHM Cisco World · ‎10-04-2022

R# show crypto call admission statistics

share output here

shyamradhe · ‎10-04-2022

Not possible !!

MHM Cisco World · ‎10-06-2022

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
this I think is bug
System Resource Limit: 0 <<- this not Zero

sorry for late reply and check the bug detail

shyamradhe · ‎10-06-2022

Hey MHM,

Tried , Given Workaround on given bug ,( Reload & Increasing CAC limit) but no Luck !!!

However We tried to Remove and Recreate the Pre-Shared key , and it resolved the issue !

Not sure how it worked but finally issue is resolved for me .. thanks for your help on this case.