debug crypto ike v2

helenio · ‎04-18-2012

Hello,

I have 2 router that build up 3x VPN (ikev2/IPsec) using tunnel on 3 different vrfs.

Normally this tunnels work fine without problem. somethimes after an ip disconnection some of those tunnels doesn't negotiate ikev2 correctly.

This happends randomly and not always on the same tunnel this drive me to a potential problem of IOS version.

Someone can verify the debug below and help me to understand the potential cause message here, in particular

Apr 18 09:46:42.102: IKEv2:Failed to initiate sa

Apr 18 09:46:51.881: IKEv2:Got a packet from dispatcher

Apr 18 09:46:51.881: IKEv2:Processing an item off the pak queue

Apr 18 09:46:51.883: IKEv2:Failed to allocate memory

detail here below:

interface Tunnel706

ip vrf forwarding servizi

ip address 10.xx.xx.xx 255.255.255.252

keepalive 1 5

tunnel source xxx.xxx.xxx.xx9

tunnel mode ipsec ipv4

tunnel destination xxx.xxx.xxx.xx1

tunnel vrf internet

tunnel protection ipsec profile ipsecprof-servizi

!

#debug crypto ikev2 detail

Apr 18 09:46:42.102: IKEv2:% Getting preshared key from profile keyring v2-kr1-servizi

Apr 18 09:46:42.102: IKEv2:% Getting preshared key by address xxx.xxx.xxx.xx1

Apr 18 09:46:42.102: IKEv2:% Matched peer block 'router_remote-servizi'

Apr 18 09:46:42.102: IKEv2:Searching Policy with fvrf 2, local address xxx.xxx.xxx.xx9

Apr 18 09:46:42.102: IKEv2:Found Policy pol-1

Apr 18 09:46:42.102: IKEv2:Adding Proposal prop-1 to toolkit policy

Apr 18 09:46:42.102: IKEv2:Failed to initiate sa

Apr 18 09:46:51.881: IKEv2:Got a packet from dispatcher

Apr 18 09:46:51.881: IKEv2:Processing an item off the pak queue

Apr 18 09:46:51.883: IKEv2:Rx [L xxx.xxx.xxx.xx9:500/R xxx.xxx.xxx.xx1:500/VRF i0:f2] m_id: 0x0

Apr 18 09:46:51.883: IKEv2:HDR[i:7DE73BECB5AC9CEE - r: 0000000000000000]

Apr 18 09:46:51.883: IKEv2:IKEV2 HDR ispi: 7DE73BECB5AC9CEE - rspi: 0000000000000000

Apr 18 09:46:51.883: IKEv2:Next payload: SA, version: 2.0

Apr 18 09:46:51.883: IKEv2:Exchange type: IKE_SA_INIT, flags: INITIATOR

Apr 18 09:46:51.883: IKEv2:Message id: 0x0, length: 292

Apr 18 09:46:51.883: IKEv2:New ikev2 sa request admitted

Apr 18 09:46:51.883: IKEv2:Incrementing incoming negotiating sa count by one

Apr 18 09:46:51.883: SA Next payload: KE, reserved: 0x0, length: 48

Apr 18 09:46:51.883: IKEv2: last proposal: 0x0, reserved: 0x0, length: 44

Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4

Apr 18 09:46:51.883: IKEv2: last transform: 0x3, reserved: 0x0: length: 12

type: 1, reserved: 0x0, id: AES-CBC

Apr 18 09:46:51.883: IKEv2: last transform: 0x3, reserved: 0x0: length: 8

type: 2, reserved: 0x0, id: MD5

Apr 18 09:46:51.883: IKEv2: last transform: 0x3, reserved: 0x0: length: 8

type: 3, reserved: 0x0, id: MD596

Apr 18 09:46:51.883: IKEv2: last transform: 0x0, reserved: 0x0: length: 8

type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2

Apr 18 09:46:51.883: KE Next payload: N, reserved: 0x0, length: 136

DH group: 2, Reserved: 0x0

Apr 18 09:46:51.883: N Next payload: NOTIFY, reserved: 0x0, length: 24

Apr 18 09:46:51.883: IKEv2:Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28

Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

Apr 18 09:46:51.883: IKEv2:Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28

Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: IDLE Event: EV_RECV_INIT

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: R_INIT Event: EV_VERIFY_MSG

Apr 18 09:46:51.883: IKEv2:Verify SA init message

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: R_INIT Event: EV_INSERT_SA

Apr 18 09:46:51.883: IKEv2:Insert SA

Apr 18 09:46:51.883: IKEv2:Failed to allocate memory

Apr 18 09:46:51.883: IKEv2:

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL

Apr 18 09:46:51.883: IKEv2:Failed SA init exchange

Apr 18 09:46:51.883: IKEv2:Initial exchange failed

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT

Apr 18 09:46:51.883: IKEv2:Negotiating SA request deleted

Apr 18 09:46:51.883: IKEv2:Decrement count for incoming negotiating

Apr 18 09:46:51.883: IKEv2:SM Trace-> SA: I_SPI=7DE73BECB5AC9CEE R_SPI=1523C1166269D4C7 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS

Apr 18 09:46:51.883: IKEv2:Abort exchange

Apr 18 09:46:51.883: IKEv2:Deleting SA

olpeleri · ‎04-22-2012

Hello,

Apr 18 09:46:51.883: IKEv2:Failed to allocate memory

A "show proc mem sorted" and "sh memory allocating-process totals"

would be needed to understand why we can't allocate memory.

Cheers,

Olivier Pelerin

CCIE #20306