03-09-2021 03:29 AM
Hi there!
I am trying to replace an existing site to site VPN tunnel maintained with a old Cisco PIX with a more secured tunnel established by a brand new Firepower 1120. This Firepower was delivered with FTD 6.4 + FDM software. The new tunnel has a different peer and up to date encryption/hashing algorithms.
Unfortunately, we could not manage to establish the new tunnel or even to replace the old one with the new appliance. I can still fall back to the old configuration by switching the Firepower to a standby local IP and switching the PIX back to its original local IP.
Tunnels descriptions:
The peer IP and target servers are different for both tunnels but the topology look the same anyway. In both cases, the ACLs for the tunnel are a complete 192.168.Y.0/24 to two servers A.B.12.44 and A.B.12.45.
Network Diagram
The phase 1 negotiation never succeeds. On our side, we receive IKE messages from the other side and we can see the cryptomap being matched and an embryonic sa being created. On the other side, they cannot see any response.
I was not able to configure the lifetime of the phase 2 nor to enter a "sysopt connection permit-vpn" command (I tried to add a FlexConfig object and policy but it never ends in the running config).
On the Firepower, I created NAT rules to avoid NATing the IPs coming from that local subnet when accessing the servers through the VPN. Same NO-NAT rule in the other way, from the servers to the local subnet. However, the packet-tracer command shows that the tunnel rules drop the communication:
> packet-tracer input inside tcp 192.168.Y.22 ssh A.B.12.44 ssh detailed WARNING: 5 sec waittime expire start 302356, end 302357,flags 0, trace 0x00000000043693a3/0x00000000043693a3 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new Additional Information: NAT divert to egress interface outside Untranslate A.B.12.44/22 to A.B.12.44/22 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group NGFW_ONBOX_ACL global access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH object-group service |acSvcg-268435459 service-object tcp destination eq ssh object-group network |acDestNwg-268435459 network-object object SERVER09_new network-object object SERVER10_new Additional Information: Forward Flow based lookup yields rule: in id=0x2b07993bc730, priority=12, domain=permit, trust hits=60, user_data=0x2b0789aafc80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any, ifc=inside dst ip/id=A.B.12.44, mask=255.255.255.255, port=22, tag=any, ifc=outside, vlan=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new Additional Information: Static translate 192.168.Y.22/22 to 192.168.Y.22/22 Forward Flow based lookup yields rule: in id=0x2b07994e3ea0, priority=6, domain=nat, deny=false hits=4, user_data=0x2b0798db47f0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2b0796671040, priority=0, domain=nat-per-session, deny=false hits=29465, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2b0797a510d0, priority=0, domain=inspect-ip-options, deny=true hits=10949, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 6 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2b0796686bb0, priority=70, domain=encrypt, deny=false hits=5, user_data=0x0, cs_id=0x2b07993d4bf0, reverse, flags=0x0, protocol=0 src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Here is the configuration of the new Firepower:
: Hardware: FPR-1120, 5276 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores) : NGFW Version 6.4.0 ! hostname XYZ-FP enable password ***** encrypted names no mac-address auto ! interface Ethernet1/1 mac-address 0005.3290.1320 nameif outside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.X.9 255.255.255.0 ! interface Ethernet1/2 mac-address 0005.3290.1320 nameif inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.Y.9 255.255.255.0 ! interface Ethernet1/3 shutdown no nameif no security-level no ip address ! ... ! interface Management1/1 management-only nameif diagnostic cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 no ip address ! ftp mode passive ngips conn-match vlan-id dns domain-lookup any dns server-group LOCALS-DNS name-server 192.168.X.67 name-server 192.168.Y.10 domain-name LOCALSOFT.CH dns server-group CiscoUmbrellaDNSServerGroup name-server 208.67.222.222 name-server 208.67.220.220 dns-group CiscoUmbrellaDNSServerGroup object network OutsideFirepowerXIP host 192.168.X.5 object network UBS_Primary_Endpoint host A.B.221.70 object network any-ipv4 subnet 0.0.0.0 0.0.0.0 object network any-ipv6 subnet ::/0 object network OutsideIPv4Gateway host 192.168.X.1 object network OutsideIPv4DefaultRoute subnet 0.0.0.0 0.0.0.0 object network InsideYIPv4 subnet 192.168.Y.0 255.255.255.0 object network OutsidePeerIP host g.h.j.k object network SERVER09_old host A.B.220.197 object network SERVER10_new host A.B.12.45 object network LOCALS-14 host 192.168.X.67 object network InsideXIPv4 subnet 192.168.X.0 255.255.255.0 object network Gateway_18 host 192.168.Y.10 object network SERVER10_old host A.B.222.197 object network SERVER09_new host A.B.12.44 object network UBS_Secondary_Endpoint host A.B.204.70 object network SERVER_Domain_New subnet A.B.12.0 255.255.255.0 object network InsideIPv4Any subnet 192.168.0.0 255.255.0.0 object-group service |acSvcg-268435458 service-object ip object-group network |acSrcNwg-268435458 network-object object SERVER09_new network-object object SERVER10_new object-group service |acSvcg-268435459 service-object tcp destination eq ssh object-group network |acDestNwg-268435459 network-object object SERVER09_new network-object object SERVER10_new object-group service |acSvcg-268435460 service-object ip object-group network |acSrcNwg-268435460 network-object object SERVER09_old network-object object SERVER10_old object-group service |acSvcg-268435461 service-object ip object-group service |acSvcg-268435462 service-object tcp destination eq ssh object-group network |acDestNwg-268435462 network-object object SERVER09_old network-object object SERVER10_old object-group service |acSvcg-268435457 service-object ip object-group service |acSvcg-268435463 service-object ip object-group service |acSvcg-268435464 service-object ip object-group network |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 network-object object InsideYIPv4 object-group network |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 network-object object SERVER09_old network-object object SERVER10_old object-group network |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 network-object object InsideYIPv4 object-group network |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 network-object object SERVER09_new network-object object SERVER10_new access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Allow_SERVER_IN access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc outside object-group |acSrcNwg-268435458 ifc inside object InsideYIPv4 rule-id 268435458 access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: Allow_old_SERVER_in access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside object-group |acSrcNwg-268435460 ifc inside object InsideYIPv4 rule-id 268435460 access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Allow_Any_In access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside any rule-id 268435461 access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Allow_Y_To_SERVERold_SSH access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435462 rule-id 268435462 access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Allow_X_Out access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside object InsideXIPv4 any rule-id 268435463 access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Allow_Y_in access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc outside object InsideXIPv4 ifc inside object InsideYIPv4 rule-id 268435464 access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule access-list NGFW_ONBOX_ACL advanced trust ip any any rule-id 1 access-list |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476 extended permit ip object-group |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 object-group |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 access-list |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727 extended permit ip object-group |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 object-group |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 pager lines 24 logging enable logging timestamp logging buffer-size 1000000 logging console debugging logging buffered debugging logging permit-hostdown mtu outside 1200 mtu inside 1500 mtu diagnostic 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (outside,inside) source static SERVER_Domain_New SERVER_Domain_New destination static InsideYIPv4 InsideYIPv4 nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_old SERVER09_old nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER_Domain_New SERVER_Domain_New nat (inside,outside) source dynamic any-ipv4 interface inactive access-group NGFW_ONBOX_ACL global route outside 0.0.0.0 0.0.0.0 192.168.X.1 20 route outside A.B.12.0 255.255.255.0 192.168.X.1 1 route inside 192.168.0.0 255.255.0.0 192.168.Y.10 20 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 0.0.0.0 0.0.0.0 inside http ::/0 inside ip-client diagnostic ip-client diagnostic ipv6 ip-client outside ip-client outside ipv6 ip-client inside ip-client inside ipv6 no snmp-server location no snmp-server contact sysopt connection tcpmss 0 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES-GCM protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity null crypto ipsec ikev2 ipsec-proposal IPSEC-AES256-SHA256 protocol esp encryption aes-gcm-256 aes-256 protocol esp integrity sha-256 crypto ipsec security-association pmtu-aging infinite crypto map s2sCryptoMap 1 match address |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727 crypto map s2sCryptoMap 1 set pfs group19 crypto map s2sCryptoMap 1 set peer A.B.221.70 crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-GCM IPSEC-AES256-SHA256 crypto map s2sCryptoMap 2 match address |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476 crypto map s2sCryptoMap 2 set peer g.h.j.k crypto map s2sCryptoMap 2 set ikev1 transform-set ESP-3DES-SHA crypto map s2sCryptoMap interface outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha256 group 19 prf sha256 sha lifetime seconds 86400 crypto ikev2 policy 23 encryption aes-gcm-256 integrity null group 19 prf sha256 sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 22 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh ::/0 inside console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.Y.50-192.168.Y.60 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ssl-client webvpn anyconnect ssl dtls none anyconnect ssl rekey time 4 anyconnect ssl rekey method new-tunnel group-policy |s2sGP|g.h.j.k internal group-policy |s2sGP|g.h.j.k attributes vpn-tunnel-protocol ikev1 group-policy |s2sGP|A.B.221.70 internal group-policy |s2sGP|A.B.221.70 attributes vpn-tunnel-protocol ikev2 dynamic-access-policy-record DfltAccessPolicy tunnel-group g.h.j.k type ipsec-l2l tunnel-group g.h.j.k general-attributes default-group-policy |s2sGP|g.h.j.k tunnel-group g.h.j.k ipsec-attributes ikev1 pre-shared-key ***** tunnel-group A.B.221.70 type ipsec-l2l tunnel-group A.B.221.70 general-attributes default-group-policy |s2sGP|A.B.221.70 tunnel-group A.B.221.70 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily app-agent heartbeat interval 1000 retry-count 3 snort preserve-connection Cryptochecksum:- : end
Here is the debug log of the new tunnel:
Message #1 : sIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632 Message #2 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #3 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632 Message #4 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #5 : IPSEC: Received a PFKey message from IKE Message #6 : IPSEC: Parsing PFKey GETSPI message Message #7 : IPSEC: Creating IPsec SA Message #8 : IPSEC: Getting the inbound SPI Message #9 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #10 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #11 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D Message #12 : IPSEC: New embryonic SA created @ 0x00002b07994b0080, SCB: 0x96BA6270, Direction: inbound SPI : 0x3F262A4C Session ID: 0x0005A000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #13 : IPSEC: Received a PFKey message from IKE Message #14 : IPSEC: Parsing PFKey GETSPI message Message #15 : IPSEC: Creating IPsec SA Message #16 : IPSEC: Getting the inbound SPI Message #17 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #18 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #19 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05 Message #20 : IPSEC: New embryonic SA created @ 0x00002b07993cc800, SCB: 0x9821ABD0, Direction: inbound SPI : 0xA7671F99 Session ID: 0x0005A000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #21 : IPSEC: Received a PFKey message from IKE Message #22 : IPSEC: Parsing PFKey GETSPI message Message #23 : IPSEC: Creating IPsec SA Message #24 : IPSEC: Getting the inbound SPI Message #25 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #26 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #27 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B Message #28 : IPSEC: New embryonic SA created @ 0x00002b079953e1f0, SCB: 0x993C2DE0, Direction: inbound SPI : 0xF93ABDD6 Session ID: 0x0005A000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #29 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632 Message #30 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #31 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632 Message #32 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #33 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0035A17D Message #34 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #35 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00363A05 Message #36 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #37 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0036EA5B Message #38 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #39 : IPSEC: Received a PFKey message from IKE Message #40 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy started, state embryonic Message #41 : IPSEC: Destroy current inbound SPI: 0x3F262A4C Message #42 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free started, state embryonic Message #43 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) state change from embryonic to dead Message #44 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #45 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D Message #46 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #47 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free completed Message #48 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy completed Message #49 : IPSEC: Received a PFKey message from IKE Message #50 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy started, state embryonic Message #51 : IPSEC: Destroy current inbound SPI: 0xA7671F99 Message #52 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free started, state embryonic Message #53 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) state change from embryonic to dead Message #54 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #55 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05 Message #56 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #57 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free completed Message #58 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy completed Message #59 : IPSEC: Received a PFKey message from IKE Message #60 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy started, state embryonic Message #61 : IPSEC: Destroy current inbound SPI: 0xF93ABDD6 Message #62 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free started, state embryonic Message #63 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) state change from embryonic to dead Message #64 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #65 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B Message #66 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #67 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free completed Message #68 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy completed Message #69 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632 Message #70 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #71 : IPSEC: Received a PFKey message from IKE Message #72 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F262A4C) Message #73 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #74 : IPSEC: Received a PFKey message from IKE Message #75 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xA7671F99) Message #76 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #77 : IPSEC: Received a PFKey message from IKE Message #78 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xF93ABDD6) Message #79 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #80 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632 Message #81 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #82 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632 Message #83 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched. Message #84 : IPSEC: Received a PFKey message from IKE Message #85 : IPSEC: Parsing PFKey GETSPI message Message #86 : IPSEC: Creating IPsec SA Message #87 : IPSEC: Getting the inbound SPI Message #88 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #89 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #90 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B Message #91 : IPSEC: New embryonic SA created @ 0x00002b0798dbd020, SCB: 0x993C8F90, Direction: inbound SPI : 0x08E58923 Session ID: 0x0005B000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #92 : IPSEC: Received a PFKey message from IKE Message #93 : IPSEC: Parsing PFKey GETSPI message Message #94 : IPSEC: Creating IPsec SA Message #95 : IPSEC: Getting the inbound SPI Message #96 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #97 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #98 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969 Message #99 : IPSEC: New embryonic SA created @ 0x00002b0797a72710, SCB: 0x9821ABD0, Direction: inbound SPI : 0xB76B04E8 Session ID: 0x0005B000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #100 : IPSEC: Received a PFKey message from IKE Message #101 : IPSEC: Parsing PFKey GETSPI message Message #102 : IPSEC: Creating IPsec SA Message #103 : IPSEC: Getting the inbound SPI Message #104 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic Message #105 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #106 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181 Message #107 : IPSEC: New embryonic SA created @ 0x00002b07993c1c10, SCB: 0x96BA6270, Direction: inbound SPI : 0xD3311490 Session ID: 0x0005B000 VPIF num : 0x00000002 Tunnel type: l2l-truncated- Message #108 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037648B Message #109 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #110 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037D969 Message #111 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #112 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00387181 Message #113 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #114 : IPSEC: Received a PFKey message from IKE Message #115 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy started, state embryonic Message #116 : IPSEC: Destroy current inbound SPI: 0x08E58923 Message #117 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free started, state embryonic Message #118 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) state change from embryonic to dead Message #119 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #120 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B Message #121 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #122 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free completed Message #123 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy completed Message #124 : IPSEC: Received a PFKey message from IKE Message #125 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy started, state embryonic Message #126 : IPSEC: Destroy current inbound SPI: 0xB76B04E8 Message #127 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free started, state embryonic Message #128 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) state change from embryonic to dead Message #129 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #130 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969 Message #131 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #132 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free completed Message #133 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy completed Message #134 : IPSEC: Received a PFKey message from IKE Message #135 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy started, state embryonic Message #136 : IPSEC: Destroy current inbound SPI: 0xD3311490 Message #137 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free started, state embryonic Message #138 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) state change from embryonic to dead Message #139 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0 Message #140 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181 Message #141 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer Message #142 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free completed Message #143 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy completed Message #144 : IPSEC: Received a PFKey message from IKE Message #145 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x08E58923) Message #146 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #147 : IPSEC: Received a PFKey message from IKE Message #148 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xB76B04E8) Message #149 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #150 : IPSEC: Received a PFKey message from IKE Message #151 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xD3311490) Message #152 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters Message #153 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0 Message #154 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0
Thanks in advance for your help.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide