Hi there!
I am trying to replace an existing site to site VPN tunnel maintained with a old Cisco PIX with a more secured tunnel established by a brand new Firepower 1120. This Firepower was delivered with FTD 6.4 + FDM software. The new tunnel has a different peer and up to date encryption/hashing algorithms.
Unfortunately, we could not manage to establish the new tunnel or even to replace the old one with the new appliance. I can still fall back to the old configuration by switching the Firepower to a standby local IP and switching the PIX back to its original local IP.
Tunnels descriptions:
- Old tunnel: IKEv1 Phase1: 3DES-SHA group 2 lifetime 86400s and preshared key, Phase2: ESP 3DES-SHA-HMAC, group 2, no PFS lifetime 3600s
- New tunnel: IKEv2 Phase1: AES256-SHA256 group 19 lifetime 86400s and preshared key, Phase2: ESP AES256-SHA256, PFS group 19, lifetime 3600s We tried to add aes-gcm-256 encryption on both sides but it did not help.
The peer IP and target servers are different for both tunnels but the topology look the same anyway. In both cases, the ACLs for the tunnel are a complete 192.168.Y.0/24 to two servers A.B.12.44 and A.B.12.45.
Network Diagram
The phase 1 negotiation never succeeds. On our side, we receive IKE messages from the other side and we can see the cryptomap being matched and an embryonic sa being created. On the other side, they cannot see any response.
I was not able to configure the lifetime of the phase 2 nor to enter a "sysopt connection permit-vpn" command (I tried to add a FlexConfig object and policy but it never ends in the running config).
On the Firepower, I created NAT rules to avoid NATing the IPs coming from that local subnet when accessing the servers through the VPN. Same NO-NAT rule in the other way, from the servers to the local subnet. However, the packet-tracer command shows that the tunnel rules drop the communication:
> packet-tracer input inside tcp 192.168.Y.22 ssh A.B.12.44 ssh detailed
WARNING: 5 sec waittime expire start 302356, end 302357,flags 0, trace 0x00000000043693a3/0x00000000043693a3
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new
Additional Information:
NAT divert to egress interface outside
Untranslate A.B.12.44/22 to A.B.12.44/22
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH
object-group service |acSvcg-268435459
service-object tcp destination eq ssh
object-group network |acDestNwg-268435459
network-object object SERVER09_new
network-object object SERVER10_new
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b07993bc730, priority=12, domain=permit, trust
hits=60, user_data=0x2b0789aafc80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any, ifc=inside
dst ip/id=A.B.12.44, mask=255.255.255.255, port=22, tag=any, ifc=outside, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_new SERVER09_new
Additional Information:
Static translate 192.168.Y.22/22 to 192.168.Y.22/22
Forward Flow based lookup yields rule:
in id=0x2b07994e3ea0, priority=6, domain=nat, deny=false
hits=4, user_data=0x2b0798db47f0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b0796671040, priority=0, domain=nat-per-session, deny=false
hits=29465, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b0797a510d0, priority=0, domain=inspect-ip-options, deny=true
hits=10949, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b0796686bb0, priority=70, domain=encrypt, deny=false
hits=5, user_data=0x0, cs_id=0x2b07993d4bf0, reverse, flags=0x0, protocol=0
src ip/id=192.168.Y.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=A.B.12.44, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured ruleHere is the configuration of the new Firepower:
: Hardware: FPR-1120, 5276 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores) : NGFW Version 6.4.0 ! hostname XYZ-FP enable password ***** encrypted names no mac-address auto ! interface Ethernet1/1 mac-address 0005.3290.1320 nameif outside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.X.9 255.255.255.0 ! interface Ethernet1/2 mac-address 0005.3290.1320 nameif inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 192.168.Y.9 255.255.255.0 ! interface Ethernet1/3 shutdown no nameif no security-level no ip address ! ... ! interface Management1/1 management-only nameif diagnostic cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 no ip address ! ftp mode passive ngips conn-match vlan-id dns domain-lookup any dns server-group LOCALS-DNS name-server 192.168.X.67 name-server 192.168.Y.10 domain-name LOCALSOFT.CH dns server-group CiscoUmbrellaDNSServerGroup name-server 208.67.222.222 name-server 208.67.220.220 dns-group CiscoUmbrellaDNSServerGroup object network OutsideFirepowerXIP host 192.168.X.5 object network UBS_Primary_Endpoint host A.B.221.70 object network any-ipv4 subnet 0.0.0.0 0.0.0.0 object network any-ipv6 subnet ::/0 object network OutsideIPv4Gateway host 192.168.X.1 object network OutsideIPv4DefaultRoute subnet 0.0.0.0 0.0.0.0 object network InsideYIPv4 subnet 192.168.Y.0 255.255.255.0 object network OutsidePeerIP host g.h.j.k object network SERVER09_old host A.B.220.197 object network SERVER10_new host A.B.12.45 object network LOCALS-14 host 192.168.X.67 object network InsideXIPv4 subnet 192.168.X.0 255.255.255.0 object network Gateway_18 host 192.168.Y.10 object network SERVER10_old host A.B.222.197 object network SERVER09_new host A.B.12.44 object network UBS_Secondary_Endpoint host A.B.204.70 object network SERVER_Domain_New subnet A.B.12.0 255.255.255.0 object network InsideIPv4Any subnet 192.168.0.0 255.255.0.0 object-group service |acSvcg-268435458 service-object ip object-group network |acSrcNwg-268435458 network-object object SERVER09_new network-object object SERVER10_new object-group service |acSvcg-268435459 service-object tcp destination eq ssh object-group network |acDestNwg-268435459 network-object object SERVER09_new network-object object SERVER10_new object-group service |acSvcg-268435460 service-object ip object-group network |acSrcNwg-268435460 network-object object SERVER09_old network-object object SERVER10_old object-group service |acSvcg-268435461 service-object ip object-group service |acSvcg-268435462 service-object tcp destination eq ssh object-group network |acDestNwg-268435462 network-object object SERVER09_old network-object object SERVER10_old object-group service |acSvcg-268435457 service-object ip object-group service |acSvcg-268435463 service-object ip object-group service |acSvcg-268435464 service-object ip object-group network |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 network-object object InsideYIPv4 object-group network |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 network-object object SERVER09_old network-object object SERVER10_old object-group network |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 network-object object InsideYIPv4 object-group network |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 network-object object SERVER09_new network-object object SERVER10_new access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Allow_SERVER_IN access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc outside object-group |acSrcNwg-268435458 ifc inside object InsideYIPv4 rule-id 268435458 access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Allow_Y_To_SERVER_SSH access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435459 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435459 rule-id 268435459 event-log both access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: Allow_old_SERVER_in access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside object-group |acSrcNwg-268435460 ifc inside object InsideYIPv4 rule-id 268435460 access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Allow_Any_In access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside any rule-id 268435461 access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Allow_Y_To_SERVERold_SSH access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object InsideYIPv4 ifc outside object-group |acDestNwg-268435462 rule-id 268435462 access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Allow_X_Out access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside object InsideXIPv4 any rule-id 268435463 access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Allow_Y_in access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc outside object InsideXIPv4 ifc inside object InsideYIPv4 rule-id 268435464 access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule access-list NGFW_ONBOX_ACL advanced trust ip any any rule-id 1 access-list |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476 extended permit ip object-group |s2sAclSrcNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 object-group |s2sAclDestNwgV4|eb882b33-7c36-11eb-99e3-8bd461861476 access-list |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727 extended permit ip object-group |s2sAclSrcNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 object-group |s2sAclDestNwgV4|e162962d-7b40-11eb-ae5b-f11d6d996727 pager lines 24 logging enable logging timestamp logging buffer-size 1000000 logging console debugging logging buffered debugging logging permit-hostdown mtu outside 1200 mtu inside 1500 mtu diagnostic 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (outside,inside) source static SERVER_Domain_New SERVER_Domain_New destination static InsideYIPv4 InsideYIPv4 nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER09_old SERVER09_old nat (inside,outside) source static InsideYIPv4 InsideYIPv4 destination static SERVER_Domain_New SERVER_Domain_New nat (inside,outside) source dynamic any-ipv4 interface inactive access-group NGFW_ONBOX_ACL global route outside 0.0.0.0 0.0.0.0 192.168.X.1 20 route outside A.B.12.0 255.255.255.0 192.168.X.1 1 route inside 192.168.0.0 255.255.0.0 192.168.Y.10 20 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 0.0.0.0 0.0.0.0 inside http ::/0 inside ip-client diagnostic ip-client diagnostic ipv6 ip-client outside ip-client outside ipv6 ip-client inside ip-client inside ipv6 no snmp-server location no snmp-server contact sysopt connection tcpmss 0 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES-GCM protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity null crypto ipsec ikev2 ipsec-proposal IPSEC-AES256-SHA256 protocol esp encryption aes-gcm-256 aes-256 protocol esp integrity sha-256 crypto ipsec security-association pmtu-aging infinite crypto map s2sCryptoMap 1 match address |s2sAcl|e162962d-7b40-11eb-ae5b-f11d6d996727 crypto map s2sCryptoMap 1 set pfs group19 crypto map s2sCryptoMap 1 set peer A.B.221.70 crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-GCM IPSEC-AES256-SHA256 crypto map s2sCryptoMap 2 match address |s2sAcl|eb882b33-7c36-11eb-99e3-8bd461861476 crypto map s2sCryptoMap 2 set peer g.h.j.k crypto map s2sCryptoMap 2 set ikev1 transform-set ESP-3DES-SHA crypto map s2sCryptoMap interface outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha256 group 19 prf sha256 sha lifetime seconds 86400 crypto ikev2 policy 23 encryption aes-gcm-256 integrity null group 19 prf sha256 sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 22 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh ::/0 inside console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.Y.50-192.168.Y.60 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ssl-client webvpn anyconnect ssl dtls none anyconnect ssl rekey time 4 anyconnect ssl rekey method new-tunnel group-policy |s2sGP|g.h.j.k internal group-policy |s2sGP|g.h.j.k attributes vpn-tunnel-protocol ikev1 group-policy |s2sGP|A.B.221.70 internal group-policy |s2sGP|A.B.221.70 attributes vpn-tunnel-protocol ikev2 dynamic-access-policy-record DfltAccessPolicy tunnel-group g.h.j.k type ipsec-l2l tunnel-group g.h.j.k general-attributes default-group-policy |s2sGP|g.h.j.k tunnel-group g.h.j.k ipsec-attributes ikev1 pre-shared-key ***** tunnel-group A.B.221.70 type ipsec-l2l tunnel-group A.B.221.70 general-attributes default-group-policy |s2sGP|A.B.221.70 tunnel-group A.B.221.70 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily app-agent heartbeat interval 1000 retry-count 3 snort preserve-connection Cryptochecksum:- : end
Here is the debug log of the new tunnel:
Message #1 : sIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #2 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #3 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #4 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #5 : IPSEC: Received a PFKey message from IKE
Message #6 : IPSEC: Parsing PFKey GETSPI message
Message #7 : IPSEC: Creating IPsec SA
Message #8 : IPSEC: Getting the inbound SPI
Message #9 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #10 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #11 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D
Message #12 : IPSEC: New embryonic SA created @ 0x00002b07994b0080,
SCB: 0x96BA6270,
Direction: inbound
SPI : 0x3F262A4C
Session ID: 0x0005A000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #13 : IPSEC: Received a PFKey message from IKE
Message #14 : IPSEC: Parsing PFKey GETSPI message
Message #15 : IPSEC: Creating IPsec SA
Message #16 : IPSEC: Getting the inbound SPI
Message #17 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #18 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #19 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05
Message #20 : IPSEC: New embryonic SA created @ 0x00002b07993cc800,
SCB: 0x9821ABD0,
Direction: inbound
SPI : 0xA7671F99
Session ID: 0x0005A000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #21 : IPSEC: Received a PFKey message from IKE
Message #22 : IPSEC: Parsing PFKey GETSPI message
Message #23 : IPSEC: Creating IPsec SA
Message #24 : IPSEC: Getting the inbound SPI
Message #25 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #26 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #27 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B
Message #28 : IPSEC: New embryonic SA created @ 0x00002b079953e1f0,
SCB: 0x993C2DE0,
Direction: inbound
SPI : 0xF93ABDD6
Session ID: 0x0005A000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #29 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #30 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #31 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #32 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #33 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0035A17D
Message #34 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #35 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00363A05
Message #36 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #37 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0036EA5B
Message #38 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #39 : IPSEC: Received a PFKey message from IKE
Message #40 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy started, state embryonic
Message #41 : IPSEC: Destroy current inbound SPI: 0x3F262A4C
Message #42 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free started, state embryonic
Message #43 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) state change from embryonic to dead
Message #44 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #45 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0035A17D
Message #46 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #47 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) free completed
Message #48 : IPSEC DEBUG: Inbound SA (SPI 0x3F262A4C) destroy completed
Message #49 : IPSEC: Received a PFKey message from IKE
Message #50 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy started, state embryonic
Message #51 : IPSEC: Destroy current inbound SPI: 0xA7671F99
Message #52 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free started, state embryonic
Message #53 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) state change from embryonic to dead
Message #54 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #55 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00363A05
Message #56 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #57 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) free completed
Message #58 : IPSEC DEBUG: Inbound SA (SPI 0xA7671F99) destroy completed
Message #59 : IPSEC: Received a PFKey message from IKE
Message #60 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy started, state embryonic
Message #61 : IPSEC: Destroy current inbound SPI: 0xF93ABDD6
Message #62 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free started, state embryonic
Message #63 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) state change from embryonic to dead
Message #64 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #65 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0036EA5B
Message #66 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #67 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) free completed
Message #68 : IPSEC DEBUG: Inbound SA (SPI 0xF93ABDD6) destroy completed
Message #69 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=723, daddr=A.B.12.44, dport=5632
Message #70 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #71 : IPSEC: Received a PFKey message from IKE
Message #72 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3F262A4C)
Message #73 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #74 : IPSEC: Received a PFKey message from IKE
Message #75 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xA7671F99)
Message #76 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #77 : IPSEC: Received a PFKey message from IKE
Message #78 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xF93ABDD6)
Message #79 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #80 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #81 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #82 : IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.Y.22, sport=5632, daddr=A.B.12.44, dport=5632
Message #83 : IPSEC(crypto_map_check)-3: Checking crypto map s2sCryptoMap 1: matched.
Message #84 : IPSEC: Received a PFKey message from IKE
Message #85 : IPSEC: Parsing PFKey GETSPI message
Message #86 : IPSEC: Creating IPsec SA
Message #87 : IPSEC: Getting the inbound SPI
Message #88 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #89 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #90 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B
Message #91 : IPSEC: New embryonic SA created @ 0x00002b0798dbd020,
SCB: 0x993C8F90,
Direction: inbound
SPI : 0x08E58923
Session ID: 0x0005B000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #92 : IPSEC: Received a PFKey message from IKE
Message #93 : IPSEC: Parsing PFKey GETSPI message
Message #94 : IPSEC: Creating IPsec SA
Message #95 : IPSEC: Getting the inbound SPI
Message #96 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #97 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #98 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969
Message #99 : IPSEC: New embryonic SA created @ 0x00002b0797a72710,
SCB: 0x9821ABD0,
Direction: inbound
SPI : 0xB76B04E8
Session ID: 0x0005B000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #100 : IPSEC: Received a PFKey message from IKE
Message #101 : IPSEC: Parsing PFKey GETSPI message
Message #102 : IPSEC: Creating IPsec SA
Message #103 : IPSEC: Getting the inbound SPI
Message #104 : IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
Message #105 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #106 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181
Message #107 : IPSEC: New embryonic SA created @ 0x00002b07993c1c10,
SCB: 0x96BA6270,
Direction: inbound
SPI : 0xD3311490
Session ID: 0x0005B000
VPIF num : 0x00000002
Tunnel type: l2l-truncated-
Message #108 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037648B
Message #109 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #110 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x0037D969
Message #111 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #112 : IPSEC INFO: IPSec SA Purge timer expired SPI 0x00387181
Message #113 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #114 : IPSEC: Received a PFKey message from IKE
Message #115 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy started, state embryonic
Message #116 : IPSEC: Destroy current inbound SPI: 0x08E58923
Message #117 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free started, state embryonic
Message #118 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) state change from embryonic to dead
Message #119 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #120 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037648B
Message #121 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #122 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) free completed
Message #123 : IPSEC DEBUG: Inbound SA (SPI 0x08E58923) destroy completed
Message #124 : IPSEC: Received a PFKey message from IKE
Message #125 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy started, state embryonic
Message #126 : IPSEC: Destroy current inbound SPI: 0xB76B04E8
Message #127 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free started, state embryonic
Message #128 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) state change from embryonic to dead
Message #129 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #130 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x0037D969
Message #131 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #132 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) free completed
Message #133 : IPSEC DEBUG: Inbound SA (SPI 0xB76B04E8) destroy completed
Message #134 : IPSEC: Received a PFKey message from IKE
Message #135 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy started, state embryonic
Message #136 : IPSEC: Destroy current inbound SPI: 0xD3311490
Message #137 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free started, state embryonic
Message #138 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) state change from embryonic to dead
Message #139 : IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
Message #140 : IPSEC INFO: IPSec SA PURGE timer started SPI 0x00387181
Message #141 : IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Message #142 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) free completed
Message #143 : IPSEC DEBUG: Inbound SA (SPI 0xD3311490) destroy completed
Message #144 : IPSEC: Received a PFKey message from IKE
Message #145 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x08E58923)
Message #146 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #147 : IPSEC: Received a PFKey message from IKE
Message #148 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xB76B04E8)
Message #149 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #150 : IPSEC: Received a PFKey message from IKE
Message #151 : IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xD3311490)
Message #152 : IPSEC ERROR: Invalid PF_Key DELETE - sadb_by_spi inbound parameters
Message #153 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0
Message #154 : IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0Thanks in advance for your help.
Regards.
