Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
0
Replies

DEBUG IPSEC FPR 1010

loopin3
Level 1
Level 1

‎10-13-2022 02:20 PM

Hi all, 

i have a fpr 1010 and im trying to configure a site to site vpn with GCP, the phase 1 is completed as show the debug 

IKEv2-PLAT-4: (179): my auth method set to: 0
IKEv2-PLAT-4: (179): Failed to retrieve trusted issuers hashes or none available
IKEv2-PLAT-5: (179): SENT PKT [IKE_SA_INIT] [192.168.2.3]:500->[34.65.4.241]:500 InitSPI=0xdb98e662e4f74488 RespSPI=0xe7507732beb52223 MID=00000000
IKEv2-PLAT-5: RECV PKT [IKE_AUTH] [34.65.4.241]:4500->[192.168.2.3]:4500 InitSPI=0xdb98e662e4f74488 RespSPI=0xe7507732beb52223 MID=00000001
IKEv2-PLAT-4: (179): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (179): peer auth method set to: 2
IKEv2-PLAT-4: (179): Site to Site connection detected
IKEv2-PLAT-4: attempting to find tunnel group for ID: 34.65.4.241
IKEv2-PLAT-4: mapped to tunnel group 34.65.4.241 using phase 1 ID
IKEv2-PLAT-4: tg_name set to: 34.65.4.241
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-4: (179): my auth method set to: 2
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: (179): P1 ID = 0
IKEv2-PLAT-4: (179): Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-4: (179): Completed authentication for connection
IKEv2-PLAT-4: Build config mode reply: no request stored
IKEv2-PLAT-4: checking access status for src=0.0.0.0 dst 0.0.0.0 s_port = 0 d_port = 0, proto = 0
IKEv2-PLAT-4: (179): Crypto Map: No proxy match on map s2sCryptoMap seq 1
IKEv2-PLAT-4: (176): PSH cleanup
IKEv2-PLAT-7: Active ike sa request deleted
IKEv2-PLAT-7: Decrement count for incoming active
IKEv2-PLAT-4: (179): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (179): SENT PKT [IKE_AUTH] [192.168.2.3]:4500->[34.65.4.241]:4500 InitSPI=0xdb98e662e4f74488 RespSPI=0xe7507732beb52223 MID=00000001
IKEv2-PLAT-7: New ikev2 sa request activated
IKEv2-PLAT-7: Decrement count for incoming negotiating
IKEv2-PLAT-4:
CONNECTION STATUS: UP... peer: 34.65.4.241:4500, phase1_id: 34.65.4.241
IKEv2-PLAT-4: (179): connection auth hdl set to 106
IKEv2-PLAT-4: (179): AAA conn attribute retrieval successfully queued for register session request.

the tunnel dosent go up and the debug of crypto ipsec at 255 level is 

PSEC: New embryonic SA created @ 0x00002b129b2e9f70,
SCB: 0x9B2298F0,
Direction: inbound
SPI : 0x3F95FA33
Session ID: 0x0028C000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x028DFD31
IPSEC: New embryonic SA created @ 0x00002b129b358690,
SCB: 0x9AA433F0,
Direction: inbound
SPI : 0x5769B808
Session ID: 0x0028C000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F95FA33)
IPSEC DEBUG: Inbound SA (SPI 0x3F95FA33) destroy started, state embryonic
IPSEC: Destroy current inbound SPI: 0x3F95FA33
IPSEC DEBUG: Inbound SA (SPI 0x3F95FA33) free started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x3F95FA33) state change from embryonic to dead
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x028C9A73
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x3F95FA33) free completed
IPSEC DEBUG: Inbound SA (SPI 0x3F95FA33) destroy completed
IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x5769B808)
IPSEC DEBUG: Inbound SA (SPI 0x5769B808) destroy started, state embryonic
IPSEC: Destroy current inbound SPI: 0x5769B808
IPSEC DEBUG: Inbound SA (SPI 0x5769B808) free started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x5769B808) state change from embryonic to dead
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x028DFD31
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x5769B808) free completed
IPSEC DEBUG: Inbound SA (SPI 0x5769B808) destroy completed

with packet tracer the packet go on the vpn path but the tunnel is down..

the configuration is 

> show running-config crypto
crypto ipsec ikev2 ipsec-proposal SAP_IPSEC
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-384 sha-256 sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256 sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|8be92a2b-4a31-11ed-8aa6-33bbbbf59313
crypto map s2sCryptoMap 1 set pfs group5
crypto map s2sCryptoMap 1 set peer 34.65.4.241
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-SHA SAP_IPSEC
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 36000
crypto ikev2 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

 

 

 

how i can solve it?
>

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents