cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
233
Views
0
Helpful
0
Replies
CedricP
Beginner

Firepower VPN configuration to replace a PIX

Hi there!

 

I am trying to replace an existing site to site VPN tunnel maintained with a old Cisco PIX with a more secured tunnel established by a brand new Firepower 1120. This Firepower was delivered with FTD 6.4 + FDM software. The new tunnel has a different peer and up to date encryption/hashing algorithms.

 

Unfortunately, we could not manage to establish the new tunnel or even to replace the old one with the new appliance. I can still fall back to the old configuration by switching the Firepower to a standby local IP and switching the PIX back to its original local IP.

 

Tunnels descriptions:

  • Old tunnel: IKEv1 Phase1: 3DES-SHA group 2 lifetime 86400s and preshared key, Phase2: ESP 3DES-SHA-HMAC, group 2, no PFS lifetime 3600s
  • New tunnel: IKEv2 Phase1: AES256-SHA256 group 19 lifetime 86400s and preshared key, Phase2: ESP AES256-SHA256, PFS group 19, lifetime 3600s We tried to add aes-gcm-256 encryption on both sides but it did not help.

The peer IP and target servers are different for both tunnels but the topology look the same anyway. In both cases, the ACLs for the tunnel are a complete 192.168.Y.0/24 to two servers A.B.12.44 and A.B.12.45.

 

Network Diagram

AZI-SLOUGH Anonymized.png

The phase 1 negotiation never succeeds. On our side, we receive IKE messages from the other side and we can see the cryptomap being matched and an embryonic sa being created. On the other side, they cannot see any response.

 

I was not able to configure the lifetime of the phase 2 nor to enter a "sysopt connection permit-vpn" command (I tried to add a FlexConfig object and policy but it never ends in the running config).

 

On the Firepower, I created NAT rules to avoid NATing the IPs coming from that local subnet when accessing the servers through the VPN. Same NO-NAT rule in the other way, from the servers to the local subnet. However, the packet-tracer command shows that the tunnel rules drop the communication:

> packet-tracer input inside tcp 192.168.Y.22 ssh A.B.12.44 ssh detailed
WARNING: 5 sec waittime expire start 302356, end 302357,flags 0, trace 0x00000000043693a3/0x00000000043693a3
 
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new
Additional Information:
NAT divert to egress interface outside
Untranslate A.B.12.44/22 to A.B.12.44/22
 
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH
object-group service |acSvcg-268435459
service-object tcp destination eq ssh
object-group network |acDestNwg-268435459
network-object object SERVER09_new
network-object object SERVER10_new
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2b07993bc730, priority=12, domain=permit, trust
        hits=60, user_data=0x2b0789aafc80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any, ifc=inside
        dst ip/id=A.B.12.44, mask=255.255.255.255, port=22, tag=any, ifc=outside, vlan=0, dscp=0x0
        input_ifc=any, output_ifc=any
 
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new
Additional Information:
Static translate 192.168.Y.22/22 to 192.168.Y.22/22
Forward Flow based lookup yields rule:
in  id=0x2b07994e3ea0, priority=6, domain=nat, deny=false
        hits=4, user_data=0x2b0798db47f0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside
 
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2b0796671040, priority=0, domain=nat-per-session, deny=false
        hits=29465, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any
 
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2b0797a510d0, priority=0, domain=inspect-ip-options, deny=true
        hits=10949, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
 
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b0796686bb0, priority=70, domain=encrypt, deny=false
        hits=5, user_data=0x0, cs_id=0x2b07993d4bf0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=outside
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here is the configuration of the new Firepower:

: Hardware:   FPR-1120, 5276 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores)
:
NGFW Version 6.4.0
!
hostname XYZ-FP
enable password ***** encrypted
names
no mac-address auto
 
!
interface Ethernet1/1
mac-address 0005.3290.1320
nameif outside
cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
security-level 0
ip address 192.168.X.9 255.255.255.0
!
interface Ethernet1/2
mac-address 0005.3290.1320
nameif inside
cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
security-level 0
ip address 192.168.Y.9 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
...
!
interface Management1/1
management-only
nameif diagnostic
cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group LOCALS-DNS
name-server 192.168.X.67
name-server 192.168.Y.10
domain-name LOCALSOFT.CH
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns-group CiscoUmbrellaDNSServerGroup
object network OutsideFirepowerXIP
host 192.168.X.5
object network UBS_Primary_Endpoint
host A.B.221.70
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network OutsideIPv4Gateway
host 192.168.X.1
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network InsideYIPv4
subnet 192.168.Y.0 255.255.255.0
object network OutsidePeerIP
host g.h.j.k
object network SERVER09_old
host A.B.220.197
object network SERVER10_new
host A.B.12.45
object network LOCALS-14
host 192.168.X.67
object network InsideXIPv4
subnet 192.168.X.0 255.255.255.0
object network Gateway_18
host 192.168.Y.10
object network SERVER10_old
host A.B.222.197
object network SERVER09_new
host A.B.12.44
object network UBS_Secondary_Endpoint
host A.B.204.70
object network SERVER_Domain_New
subnet A.B.12.0 255.255.255.0
object network InsideIPv4Any
subnet 192.168.0.0 255.255.0.0
object-group service |acSvcg-268435458
service-object ip
object-group network |acSrcNwg-268435458
network-object object SERVER09_new
network-object object SERVER10_new
object-group service |acSvcg-268435459
service-object tcp destination eq ssh
object-group network |acDestNwg-268435459
network-object object SERVER09_new
network-object object SERVER10_new
object-group service |acSvcg-268435460
service-object ip
object-group network |acSrcNwg-268435460
network-object object SERVER09_old
network-object object SERVER10_old
object-group service |acSvcg-268435461
service-object ip
object-group service |acSvcg-268435462
service-object tcp destination eq ssh
object-group network |acDestNwg-268435462
network-object object SERVER09_old
network-object object SERVER10_old
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435463
service-object ip
object-group service |acSvcg-268435464
service-object ip
object-group network |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476
network-object object InsideYIPv4
object-group network |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476
network-object object SERVER09_old
network-object object SERVER10_old
object-group network |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727
network-object object InsideYIPv4
object-group network |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727
network-object object SERVER09_new
network-object object SERVER10_new
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Allow_SERVER_IN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc outside object-group |acSrcNwg-268435458 ifc inside object InsideYIPv4 rule-id 268435458
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: Allow_old_SERVER_in
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside object-group |acSrcNwg-268435460 ifc inside object InsideYIPv4 rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Allow_Any_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside any rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Allow_Y_To_SERVERold_SSH
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435462 rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Allow_X_Out
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside object InsideXIPv4 any rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Allow_Y_in
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc outside object InsideXIPv4 ifc inside object InsideYIPv4 rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced trust ip any any rule-id 1
access-list |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476 extended permit ip object-group |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 object-group |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476
access-list |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727 extended permit ip object-group |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 object-group |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging console debugging
logging buffered debugging
logging permit-hostdown
mtu outside 1200
mtu inside 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,inside) source static SERVER_Domain_New SERVER_Domain_New destination static InsideYIPv4 InsideYIPv4
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_old SERVER09_old
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER_Domain_New SERVER_Domain_New
nat (inside,outside) source dynamic any-ipv4 interface inactive
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 192.168.X.1 20
route outside A.B.12.0 255.255.255.0 192.168.X.1 1
route inside 192.168.0.0 255.255.0.0 192.168.Y.10 20
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http ::/0 inside
ip-client diagnostic
ip-client diagnostic ipv6
ip-client outside
ip-client outside ipv6
ip-client inside
ip-client inside ipv6
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES-GCM
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null
crypto ipsec ikev2 ipsec-proposal IPSEC-AES256-SHA256
protocol esp encryption aes-gcm-256 aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727
crypto map s2sCryptoMap 1 set pfs group19
crypto map s2sCryptoMap 1 set peer A.B.221.70
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-GCM IPSEC-AES256-SHA256
crypto map s2sCryptoMap 2 match address |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476
crypto map s2sCryptoMap 2 set peer g.h.j.k
crypto map s2sCryptoMap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 19
prf sha256 sha
lifetime seconds 86400
crypto ikev2 policy 23
encryption aes-gcm-256
integrity null
group 19
prf sha256 sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 22
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh ::/0 inside
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.Y.50-192.168.Y.60 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
  anyconnect ssl dtls none
  anyconnect ssl rekey time 4
  anyconnect ssl rekey method new-tunnel
group-policy |s2sGP|g.h.j.k internal
group-policy |s2sGP|g.h.j.k attributes
vpn-tunnel-protocol ikev1
group-policy |s2sGP|A.B.221.70 internal
group-policy |s2sGP|A.B.221.70 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group g.h.j.k type ipsec-l2l
tunnel-group g.h.j.k general-attributes
default-group-policy |s2sGP|g.h.j.k
tunnel-group g.h.j.k ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group A.B.221.70 type ipsec-l2l
tunnel-group A.B.221.70 general-attributes
default-group-policy |s2sGP|A.B.221.70
tunnel-group A.B.221.70 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
Cryptochecksum:-
: end

Here is the debug log of the new tunnel:

Message #1 : sIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #2 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #3 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #4 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #5 : IPSEC: Received a PFKey message from IKE
Message #6 : IPSEC: Parsing PFKey GETSPI message
Message #7 : IPSEC: Creating IPsec SA
Message #8 : IPSEC: Getting the inbound SPI
Message #9 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #10 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #11 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D
Message #12 : IPSEC: New embryonic SA created @ 0x00002b07994b0080,
    SCB: 0x96BA6270,
    Direction: inbound
    SPI      : 0x3F262A4C
    Session ID: 0x0005A000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #13 : IPSEC: Received a PFKey message from IKE
Message #14 : IPSEC: Parsing PFKey GETSPI message
Message #15 : IPSEC: Creating IPsec SA
Message #16 : IPSEC: Getting the inbound SPI
Message #17 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #18 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #19 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05
Message #20 : IPSEC: New embryonic SA created @ 0x00002b07993cc800,
    SCB: 0x9821ABD0,
    Direction: inbound
    SPI      : 0xA7671F99
    Session ID: 0x0005A000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #21 : IPSEC: Received a PFKey message from IKE
Message #22 : IPSEC: Parsing PFKey GETSPI message
Message #23 : IPSEC: Creating IPsec SA
Message #24 : IPSEC: Getting the inbound SPI
Message #25 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #26 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #27 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B
Message #28 : IPSEC: New embryonic SA created @ 0x00002b079953e1f0,
    SCB: 0x993C2DE0,
    Direction: inbound
    SPI      : 0xF93ABDD6
    Session ID: 0x0005A000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #29 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #30 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #31 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #32 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #33 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0035A17D
Message #34 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #35 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00363A05
Message #36 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #37 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0036EA5B
Message #38 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #39 : IPSEC: Received a PFKey message from IKE
Message #40 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy started, state embryonic
Message #41 : IPSEC: Destroy current inbound SPI: 0x3F262A4C
Message #42 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free started, state embryonic
Message #43 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) state change from embryonic to dead
Message #44 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #45 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D
Message #46 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #47 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free completed
Message #48 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy completed
Message #49 : IPSEC: Received a PFKey message from IKE
Message #50 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy started, state embryonic
Message #51 : IPSEC: Destroy current inbound SPI: 0xA7671F99
Message #52 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free started, state embryonic
Message #53 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) state change from embryonic to dead
Message #54 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #55 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05
Message #56 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #57 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free completed
Message #58 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy completed
Message #59 : IPSEC: Received a PFKey message from IKE
Message #60 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy started, state embryonic
Message #61 : IPSEC: Destroy current inbound SPI: 0xF93ABDD6
Message #62 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free started, state embryonic
Message #63 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) state change from embryonic to dead
Message #64 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #65 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B
Message #66 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #67 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free completed
Message #68 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy completed
Message #69 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #70 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #71 : IPSEC: Received a PFKey message from IKE
Message #72 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F262A4C)
Message #73 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #74 : IPSEC: Received a PFKey message from IKE
Message #75 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xA7671F99)
Message #76 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #77 : IPSEC: Received a PFKey message from IKE
Message #78 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xF93ABDD6)
Message #79 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #80 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #81 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #82 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #83 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #84 : IPSEC: Received a PFKey message from IKE
Message #85 : IPSEC: Parsing PFKey GETSPI message
Message #86 : IPSEC: Creating IPsec SA
Message #87 : IPSEC: Getting the inbound SPI
Message #88 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #89 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #90 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B
Message #91 : IPSEC: New embryonic SA created @ 0x00002b0798dbd020,
    SCB: 0x993C8F90,
    Direction: inbound
    SPI      : 0x08E58923
    Session ID: 0x0005B000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #92 : IPSEC: Received a PFKey message from IKE
Message #93 : IPSEC: Parsing PFKey GETSPI message
Message #94 : IPSEC: Creating IPsec SA
Message #95 : IPSEC: Getting the inbound SPI
Message #96 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #97 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #98 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969
Message #99 : IPSEC: New embryonic SA created @ 0x00002b0797a72710,
    SCB: 0x9821ABD0,
    Direction: inbound
    SPI      : 0xB76B04E8
    Session ID: 0x0005B000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #100 : IPSEC: Received a PFKey message from IKE
Message #101 : IPSEC: Parsing PFKey GETSPI message
Message #102 : IPSEC: Creating IPsec SA
Message #103 : IPSEC: Getting the inbound SPI
Message #104 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #105 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #106 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181
Message #107 : IPSEC: New embryonic SA created @ 0x00002b07993c1c10,
    SCB: 0x96BA6270,
    Direction: inbound
    SPI      : 0xD3311490
    Session ID: 0x0005B000
    VPIF num  : 0x00000002
    Tunnel type: l2l-truncated-
Message #108 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037648B
Message #109 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #110 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037D969
Message #111 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #112 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00387181
Message #113 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #114 : IPSEC: Received a PFKey message from IKE
Message #115 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy started, state embryonic
Message #116 : IPSEC: Destroy current inbound SPI: 0x08E58923
Message #117 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free started, state embryonic
Message #118 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) state change from embryonic to dead
Message #119 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #120 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B
Message #121 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #122 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free completed
Message #123 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy completed
Message #124 : IPSEC: Received a PFKey message from IKE
Message #125 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy started, state embryonic
Message #126 : IPSEC: Destroy current inbound SPI: 0xB76B04E8
Message #127 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free started, state embryonic
Message #128 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) state change from embryonic to dead
Message #129 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #130 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969
Message #131 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #132 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free completed
Message #133 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy completed
Message #134 : IPSEC: Received a PFKey message from IKE
Message #135 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy started, state embryonic
Message #136 : IPSEC: Destroy current inbound SPI: 0xD3311490
Message #137 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free started, state embryonic
Message #138 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) state change from embryonic to dead
Message #139 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #140 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181
Message #141 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #142 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free completed
Message #143 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy completed
Message #144 : IPSEC: Received a PFKey message from IKE
Message #145 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x08E58923)
Message #146 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #147 : IPSEC: Received a PFKey message from IKE
Message #148 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xB76B04E8)
Message #149 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #150 : IPSEC: Received a PFKey message from IKE
Message #151 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xD3311490)
Message #152 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #153 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0
Message #154 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0

Thanks in advance for your help.

Regards.

0 REPLIES 0
Content for Community-Ad