FPR 1010 vpn to ASA 5516X

Lee Dress · ‎04-20-2020

Hopefully someone can help me.

Thanks in advance.

I'm trying to get a site to site VPN tunnel going from an FPR 1010 to an ASA 5516X

The tunnel builds and seems to be stable from the FPR side. I can ping anything on the 5516's network without any drops.

but on the 5516X I keep getting negotiation aborted due to ERRORL detected unsupported failover version.

I also can't ping the FPR from the other side of the tunnel (I can do this with the old 5506x that I am replacing by using the "management interface inside" command

I have tried to match the IKE and IPSEC as closely as I can see, but FDM is not quite as clear to understand as ASDM.

on the ASA 5516

I have IKE Policies:

aes-256-sha-sha, aes-192-sha-sha aes-sha-sha and 3des-sha-sha

IPSEC:

AES256, AES192,AES, 3DES

on the FPR1010

IKE Version 2

IKE Policy:

aes,aes-192,aes-256-sha512,sha384,sha256,sha-sha512,sha384,sha256,sha-21,20,24,14,5,

aes-256,aes-192,aes,3des-sha-sha-5,14,19,20,21

IPSec Proposal: aes,aes-192,aes-256-sha-512,sha-384,sha-256,sha-1,

aes-192-md5,sha-1, aes-256-sha-1,md5, 3des-sha-1

Authentication Type: Pre-shared Manual Key

Sheraz.Salim · ‎04-20-2020

on ASA can you run these commands.

logging buffer-size 4096
logging buffered debugging

!

debug crypto condition peer x.x.x.x

debug crypto ipsec 127

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

!

capture VPN1 type isakmp interface outside match ip host x.x.x.x host y.y.y.y

capture VPN2 type isakmp interface outside match ip host y.y.y.y host x.x.x.x

!

x.x.x.x is the remote peer ip

y.y.y.y is outside asa ip address.

please do not forget to rate.

Lee Dress · ‎04-27-2020

Not sure how to read all this.

Some Child creation is failing.

IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: CHILD_I_WAIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-5: (274): Action: Action_Null
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: CHILD_I_PROC Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (274): Processing any notify-messages in child SA exchange
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: CHILD_I_DONE Event: EV_FAIL
IKEv2-PROTO-1: (274): Create child exchange failed
IKEv2-PROTO-1: (274):
IKEv2-PROTO-2: (274): IPSec SA create failed
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (274): Processed response with message id 154, Requests can be sent from range 155 to 155
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (274): Abort exchange
IKEv2-PROTO-5: (274): Deleting negotiation context for my message ID: 0x9a
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009A CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (274): Deleting negotiation context for my message ID: 0x9a
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: READY Event: EV_SEND_DPD
IKEv2-PROTO-5: (274): Action: Action_Null
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SEND_DPD
IKEv2-PROTO-2: (274): Sending DPD/liveness query
IKEv2-PROTO-2: (274): Building packet for encryption.
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-2: (274):
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PLAT-2: (274): Encrypt success status returned via ipc 1
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-5: (274): Action: Action_Null
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-2: (274): Checking if request will fit in peer window
(274):
IKEv2-PROTO-2: (274): Sending Packet [To 50.205.22.55:4500/From 50.205.22.51:4500/VRF i0:f0]
(274): Initiator SPI : FB93B6C462F20BB6 - Responder SPI : 0258A2ACB9A3FD55 Message id: 155
(274): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (274): Next payload: ENCR, version: 2.0 (274): Exchange type: INFORMATIONAL, flags: RESPONDER (274): Message id: 155, length: 76(274):
Payload contents:
(274): ENCR(274): Next payload: NONE, reserved: 0x0, length: 48
(274): Encrypted data: 44 bytes
(274):
IKEv2-PLAT-3: (274): SENT PKT [INFORMATIONAL] [50.205.22.51]:4500->[50.205.22.55]:4500 InitSPI=0xfb93b6c462f20bb6 RespSPI=0x0258a2acb9a3fd55 MID=0000009b
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: INFO_I_WAIT Event: EV_NO_EVENT
(274):
IKEv2-PROTO-2: (274): Received Packet [From 50.205.22.55:4500/To 50.205.22.51:4500/VRF i0:f0]
(274): Initiator SPI : FB93B6C462F20BB6 - Responder SPI : 0258A2ACB9A3FD55 Message id: 155
(274): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (274): Next payload: ENCR, version: 2.0 (274): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (274): Message id: 155, length: 76(274):
Payload contents:
(274):
(274): Decrypted packet:(274): Data: 76 bytes
IKEv2-PLAT-2: (274): Decrypt success status returned via ipc 1
(274): REAL Decrypted packet:(274): Data: 0 bytes
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-2: (274): Processing ACK to informational exchange
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (274): Processed response with message id 155, Requests can be sent from range 156 to 156
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (274): SM Trace-> SA: I_SPI=FB93B6C462F20BB6 R_SPI=0258A2ACB9A3FD55 (I) MsgID = 0000009B CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (274): Deleting negotiation context for my message ID: 0x9b
no debug crypto ikev2 protocol 127
asa-nj2# IKEv2-PLAT-2: (274): Encrypt success status returned via ipc 1
IKEv2-PLAT-3: (274): SENT PKT [CREATE_CHILD_SA] [50.205.22.51]:4500->[50.205.22.55]:4500 InitSPI=0xfb93b6c462f20bb6 RespSPI=0x0258a2acb9a3fd55 MID=0000009c
IKEv2-PLAT-2: (274): Decrypt success status returned via ipc 1

Lee Dress · ‎04-27-2020

I found the issue.

an anyconnect VPN Client was trying to attach to the network.

when I turned off access from the anyconnect tunnels to the FPR network, it all cleared up.

Sorry to bother you all.

Sheraz.Salim · ‎04-27-2020

no problem glad you find the issue.

please do not forget to rate.

Sheraz.Salim · ‎04-27-2020

seem likely a phase 2 issue. could you share your asa configuration. and also the config side of FTD. in order to get the FTD you have to SSH to lina cli and type show run it will display the config. also could you share the capture files too.

please do not forget to rate.