Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3482
Views
0
Helpful
4
Replies

FlexVPN EAP authentication data FAILED

Calob
Level 1
Level 1

‎04-02-2019 03:21 AM

hey everyone, i am trying to test Remote access using IKEv2 EAP with local AAA but im facing an error at the IKE_AUTH phase.
i've Been banging my head against the wall with this, and thought I would see if anyone has gotten this working.
in my lab im using Microsoct CA as a PKI: hash algorithm SHA256 & pubkey RSA 2048
when i run crypto pki enroll Trusted-CA i get a certificate issued based on IPsec Offline Request template

IOU L3 as a router: i86bi-linux-l3-adventerprisek9-15.5.2T.bin

here's my router configuration:


Conf t
No crypto ikev2 POLicy default
No crypto ikev2 proposal default
No crypto ipsec transform-set default
Interface loopback 0
Ip address 10.55.0.1 255.255.255.255
exit

Crypto key generate rsa modulus 2048 label EDGE-Keypair
Crypto pki trustpoint Trusted-CA
# SCEP IN PLACE
enrollment url http://10.22.0.9/certsrv/mscep/mscep.dll
Rsakeypair EDGE-Keypair
Fqdn EDGE.home.com
Subject-name CN= EDGE.home.com,o=home.com
Revocation-check CRL
Ip-address none
serial-number none
usage IKE
Exit

# AAA Model
aaa new-model
aaa authentication login RA-Authen local
aaa authorization network RA-Author local
username test password cisco123
username ACVPN password cisco

# AUTHORIZATION POLICY
ip local pool FlexVPN-Pool 10.55.0.100 10.55.0.200
crypto ikev2 authorization policy Author-Local-Policy
pool FlexVPN-Pool
dns 10.22.0.10
netmask 255.255.255.0
def-domain home.com
aaa attribute list AAA-attr
exit

# PROPOSAL
crypto ikev2 proposal PROPOSAL-LAB
encryption aes-cbc-256
integrity sha256
group 2
exit
!
#POLICY
crypto ikev2 policy POLICY-LAB
proposal PROPOSAL-LAB
match fvrf any
exit

# TRANSFORM SET
crypto ipsec transform-set SET-LAB esp-3des esp-sha-hmac
mode tunnel
exit
!

#IKEv2 PROFILE EAP
crypto ikev2 profile EAP-RA-PROFILE
identity local fqdn EDGE.home.com
Match identity remote key-id ACVPN
Authentication remote eap query-identity
Authentication local rsa-sig
pki trustpoint Trusted-CA
aaa authentication eap RA-Authen
aaa authorization group eap list RA-Author Author-Local-Policy
aaa authorization user eap cached
Virtual-template 1
Exit

#IPsec PROFILE
crypto ipsec profile IPsec-RA-Profile
set transform-set SET-LAB
set ikev2-profile EAP-RA-PROFILE
exit


# DVTI
Interface virtual-Template1 type Tunnel
Ip unnumbered loopback 0
Tunnel mode ipsec ipv4
tunnel protection ipsec profile IPsec-RA-Profile


#XML Profile
<ServerList>
<HostEntry>
<HostName>FlexVPN RA</HostName>
<HostAddress>EDGE.home.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP</AuthMethodDuringIKENegotiation>
<IKEIdentity>ACVPN</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>


i have tested the same configuration using Anyconnect-EAP protocol with no luck.
you will find a screenshot of the error im facing and text file with all details.


authentication failureauthentication failure

Any help would be appreciated.

-Thanks

.

Labels:
Preview file
9 KB
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎04-02-2019 12:57 PM

Hi,
If you are authenticating locally I think you need to be using "authentication remote anyconnect-eap aggregate", "eap query-identity" is for when authenticating against a RADIUS server.

Also you are checking certificate revocation, if your CRL server is not working it will also fail.

HTH
0 Helpful

Calob
Level 1
Level 1
In response to Rob Ingram

‎04-03-2019 01:22 AM - edited ‎04-03-2019 01:31 AM

thanks for your reply, as i mentioned in my post i have already tested this using Anyconnect-EAP and created another profile on client machine but still the same problem:

crypto ikev2 profile AnyEAP-RA-PROFILE

Match identity remote key-id ACVPN

dentity local fqdn EDGE.home.com

Authentication remote anyconnect-eap aggregate

Authentication local rsa-sig

pki trustpoint Trusted-CA

aaa authentication anyconnect-eap RA-Authen

aaa authorization group  anyconnect-eap list RA-Author  Author-Local-Policy

aaa authorization user anyconnect-eap cached

Virtual-template 1

 

for the CRL: yes im using the CRL check but i don't see any CRL failure message in debug, i have tested my PKI with HUB TO SPOKE & SPOKE TO SPOKE Topology and it's working pefectly.

 

 

0 Helpful

Calob
Level 1
Level 1
In response to Calob

‎04-03-2019 07:47 AM

now im having another issue, it seems that the authentication works now  but some how the tunnel goes down seconds later after it went up:

*Apr 3 14:17:54.222: IKEv2:Received Packet [From 172.10.0.2:57745/To 172.20.0.2:500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)

*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Verify SA init message
*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Insert SA
*Apr 3 14:17:54.222: IKEv2:Searching Policy with fvrf 0, local address 172.20.0.2
*Apr 3 14:17:54.222: IKEv2:Found Policy 'POLICY-LAB'
*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Processing IKE_SA_INIT message
*Apr 3 14:17:54.222: IKEv2-ERROR:(SESSION ID = 55,SA ID = 1):: The peer's KE payload contained the wrong DH group
*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Sending invalid ke notification, peer sent group 1, local policy prefers group 5

*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Sending Packet [To 172.10.0.2:57745/From 172.20.0.2:500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)

*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Failed SA init exchange
*Apr 3 14:17:54.222: IKEv2-ERROR:(SESSION ID = 55,SA ID = 1):Initial exchange failed: Initial exchange failed
*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Abort exchange
*Apr 3 14:17:54.222: IKEv2:(SESSION ID = 55,SA ID = 1):Deleting SA

*Apr 3 14:17:54.237: IKEv2:Received Packet [From 172.10.0.2:57745/To 172.20.0.2:500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)

*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Verify SA init message
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Insert SA
*Apr 3 14:17:54.237: IKEv2:Searching Policy with fvrf 0, local address 172.20.0.2
*Apr 3 14:17:54.237: IKEv2:Found Policy 'POLICY-LAB'
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Processing IKE_SA_INIT message
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Received valid config mode data
*Apr 3 14:17:54.237: IKEv2:Config data recieved:
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Config-type: Config-request
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Apr 3 14:17:54.237: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Set received config mode data
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trusted-CA'
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Apr 3 14:17:54.237: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):Request queued for computation of DH key
*Apr 3 14:17:54.237: IKEv2:(SESSION ID = 56,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):Request queued for computation of DH secret
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 3 14:17:54.246: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):Generating IKE_SA_INIT message
*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1536_MODP/Group 5
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trusted-CA'
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 3 14:17:54.246: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57745/From 172.20.0.2:500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):Completed SA init exchange
*Apr 3 14:17:54.246: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Stopping timer to wait for auth message
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Checking NAT discovery
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):NAT OUTSIDE found
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):NAT detected float to init port 57746, resp port 4500
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Searching policy based on peer's identity 'ACVPN' of type 'key ID'
*Apr 3 14:17:54.271: IKEv2:found matching IKEv2 profile 'AnyEAP-RA-PROFILE'
*Apr 3 14:17:54.271: IKEv2:Searching Policy with fvrf 0, local address 172.20.0.2
*Apr 3 14:17:54.271: IKEv2:Found Policy 'POLICY-LAB'
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Verify peer's policy
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Peer's policy verified
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Apr 3 14:17:54.271: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint Trusted-CA
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Check for EAP exchange
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Check for EAP exchange
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Generate my authentication data
*Apr 3 14:17:54.271: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 3 14:17:54.271: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Get my authentication method
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):My authentication method is 'RSA'
*Apr 3 14:17:54.271: IKEv2:(SESSION ID = 56,SA ID = 1):Sign authentication data
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
*Apr 3 14:17:54.271: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
*Apr 3 14:17:54.295: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Authentication material has been sucessfully signed
*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Generating AnyConnect EAP request
*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Sending AnyConnect EAP 'hello' request
*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Constructing IDr payload: 'EDGE.homelab.com' of type 'FQDN'
*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP

*Apr 3 14:17:54.295: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:17:54.298: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (90 sec) to wait for auth message

*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP

*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Stopping timer to wait for auth message
*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Processing AnyConnect EAP response
*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Generating AnyConnect EAP AUTH request
*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):
EDGE#Sending AnyConnect EAP 'auth-request'
*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

*Apr 3 14:17:54.307: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:17:54.308: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (90 sec) to wait for auth message
EDGE#

*Apr 3 14:18:01.456: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP

*Apr 3 14:18:01.456: IKEv2:(SESSION ID = 56,SA ID = 1):Stopping timer to wait for auth message
*Apr 3 14:18:01.456: IKEv2:(SESSION ID = 56,SA ID = 1):Processing AnyConnect EAP response
*Apr 3 14:18:01.456: IKEv2:Using authentication method list RA-Authen

*Apr 3 14:18:01.456: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
*Apr 3 14:18:01.457: IKEv2-ERROR:AnyConnect EAP - failed to get author list
*Apr 3 14:18:01.461: IKEv2:Received response from aaa for AnyConnect EAP
*Apr 3 14:18:01.461: IKEv2:(SESSION ID = 56,SA ID = 1):Generating AnyConnect EAP VERIFY request
*Apr 3 14:18:01.461: IKEv2:(SESSION ID = 56,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request
*Apr 3 14:18:01.461: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

*Apr 3 14:18:01.461: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:18:01.462: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (90 sec) to wait for auth message

*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP

*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Stopping timer to wait for auth message
*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Processing AnyConnect EAP ack response
*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Generating AnyConnect EAP success request
*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Sending AnyConnect EAP success status message
*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

*Apr 3 14:18:01.466: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:18:01.468: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (90 sec) to wait for auth message

*Apr 3 14:18:01.471: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
AUTH

*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Stopping timer to wait for auth message
*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Send AUTH, to verify peer after EAP exchange
*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Verify peer's authentication data
*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Use preshared key for id ACVPN, key len 32
*Apr 3 14:18:01.472: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 3 14:18:01.472: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Verification of peer's authenctication data PASSED
*Apr 3 14:18:01.472: IKEv2:(SESSION ID = 56,SA ID = 1):Processing INITIAL_CONTACT
*Apr 3 14:18:01.472: IKEv2:Using mlist RA-Author and username Author-Local-Policy for group author request
*Apr 3 14:18:01.472: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
*Apr 3 14:18:01.476: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Received valid config mode data
*Apr 3 14:18:01.476: IKEv2:Config data recieved:
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Config-type: Config-request
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-addr, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-netmask, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-dns, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-nbns, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: app-version, length: 28, data: AnyConnect Windows 4.6.03049
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-subnet, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv6-addr, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv6-dns, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv6-subnet, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 6, data: 0x440x450x530x4B0x310x30
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: reconnect-cleanup-interval, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: reconnect-dpd-interval, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: banner, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: smartcard-removal-disconnect, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFF86
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: def-domain, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: split-exclude, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: split-dns, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: pfs, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: reconnect-token-id, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: reconnect-session-id, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.476: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFAC0xA 0x0 0x2
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFAC0x140x0 0x2
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 0
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFDC
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-dpd-interval in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Set received config mode data
*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):Processing IKE_AUTH message
*Apr 3 14:18:01.477: IKEv2:% DVTI create request sent for profile AnyEAP-RA-PROFILE with PSH index 1.

*Apr 3 14:18:01.477: IKEv2:(SESSION ID = 56,SA ID = 1):
*Apr 3 14:18:01.477: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Apr 3 14:18:01.483: IKEv2:% DVTI Vi1 created for profile AnyEAP-RA-PROFILE with PSH index 1.

*Apr 3 14:18:01.483: IKEv2:% Adding assigned IP address 10.55.0.113 to TSi.
*Apr 3 14:18:01.483: IKEv2:IPSec policy validate request sent for profile AnyEAP-RA-PROFILE with psh index 1.

*Apr 3 14:18:01.484: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*Apr 3 14:18:01.484: IKEv2:No reconnect for PSH: 1
*Apr 3 14:18:01.484: IKEv2:Config data to send:
*Apr 3 14:18:01.484: IKEv2:(SESSION ID = 56,SA ID = 1):Config-type: Config-reply
*Apr 3 14:18:01.484: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-addr, length: 4, data: 10.55.0.113
*Apr 3 14:18:01.484: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-netmask, length: 4, data: 255.255.255.0
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: ipv4-dns, length: 4, data: 10.22.0.10
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: app-version, length: 256, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.5(2)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 26-Mar-15 07:36 by prod_rel_team
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Attrib type: def-domain, length: 12, data: homelab.com
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Have config mode data to send
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Get my authentication method
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):My authentication method is 'PSK'
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Get peer's preshared key for ACVPN
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Generate my authentication data
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Use preshared key for id EDGE.homelab.com, key len 32
*Apr 3 14:18:01.485: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 3 14:18:01.485: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Get my authentication method
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):My authentication method is 'PSK'
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Generate my authentication data
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Use preshared key for id EDGE.homelab.com, key len 32
*Apr 3 14:18:01.485: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 3 14:18:01.485: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Send AUTH, to verify peer after EAP exchange
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):ESP Proposal: 2, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Apr 3 14:18:01.485: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
AUTH CFG SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 3 14:18:01.486: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:18:01.486: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Apr 3 14:18:01.486: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Apr 3 14:18:01.486: IKEv2:(SESSION ID = 56,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Apr 3 14:18:01.487: IKEv2:(SESSION ID = 56,SA ID = 1):Session with IKE ID PAIR (ACVPN, EDGE.homelab.com) is UP
*Apr 3 14:18:01.487: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Apr 3 14:18:01.487: IKEv2:(SESSION ID = 56,SA ID = 1):Load IPSEC key material
*Apr 3 14:18:01.487: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Apr 3 14:18:01.487: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Apr 3 14:18:01.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
EDGE#
*Apr 3 14:18:01.488: IKEv2:(SESSION ID = 56,SA ID = 1):Checking for duplicate IKEv2 SA
*Apr 3 14:18:01.488: IKEv2:(SESSION ID = 56,SA ID = 1):No duplicate IKEv2 SA found
*Apr 3 14:18:01.488: IKEv2:(SESSION ID = 56,SA ID = 1):Starting timer (8 sec) to delete negotiation context
EDGE#

*Apr 3 14:18:03.615: IKEv2:(SESSION ID = 56,SA ID = 1):Received Packet [From 172.10.0.2:57746/To 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE NOTIFY(DELETE_REASON)

*Apr 3 14:18:03.616: IKEv2:(SESSION ID = 56,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE

*Apr 3 14:18:03.616: IKEv2:(SESSION ID = 56,SA ID = 1):Sending Packet [To 172.10.0.2:57746/From 172.20.0.2:4500/VRF i0:f0]
Initiator SPI : 95FF95BD7E034F5F - Responder SPI : 8F0639935F942834 Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Apr 3 14:18:03.617: IKEv2:(SESSION ID = 56,SA ID = 1):Process delete request from peer
*Apr 3 14:18:03.617: IKEv2:(SESSION ID = 56,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x95FF95BD7E034F5F RSPI: 0x8F0639935F942834]
*Apr 3 14:18:03.618: IKEv2:(SESSION ID = 56,SA ID = 1):Check for existing active SA
*Apr 3 14:18:03.618: IKEv2:(SESSION ID = 56,SA ID = 1):Delete all IKE SAs
*Apr 3 14:18:03.618: IKEv2:(SESSION ID = 56,SA ID = 1):Deleting SA
*Apr 3 14:18:03.618: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0xEDEAE0B8

*Apr 3 14:18:03.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
EDGE#
*Apr 3 14:18:03.621: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
EDGE#

 

0 Helpful

illznn
Level 1
Level 1

‎12-27-2024 01:11 AM

Hi, did you manage to solve the problem of session disabling ? I seem to have the same problem:

 

Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Process delete request from peer
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xB21A1971F9A72019 RSPI: 0xD4B671E5BCC66C25]
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Check for existing active SA
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Delete all IKE SAs
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Deleting SA
Dec 26 09:59:14.937: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007FDA18896A80

0 Helpful
Customers Also Viewed These Support Documents