Solved: FPR1010 VPN to 5505 won't come up

richyvrlimited · ‎12-19-2022

As per the title, it's a pretty basic setup, IKEv2 tunnel between x2 devices.

the 5505 is already in place and the termination point for a number of other VPN's (9 total so way below the max of 25).

the FPR101 is on ASA code 9.16(3)23

I have x2 issues

Initiating the VPN via the 1010 & Packet Tracer, the traffic is never picked up for encryption and it just routed to the relevant interface.

Initiating the VPN via the 5505 the traffic is correctly identified as to be encrypted and the tunnel is attempted to be brought up.

from a debug I get the failures of

Ikev2 SA down reason: local failure

and

Group xxxxxx Session disconnected type L2L duration 0;@00m:00s, bytes xmit 0 reason Internal error

Any clues as to why this tunnel won't come up? the debugs aren't useful at all. Have I hit a weird incompatibility bug?

Rob Ingram · ‎12-19-2022

@richyvrlimited on the FPR1010 ikev2 is enabled on the inside interface - "crypto ikev2 enable inside" but the crypto map is enabled on the outside interface - "crypto map outside_map0 interface outside". Change accordingly.

View solution in original post

Rob Ingram · ‎12-19-2022

@richyvrlimited if traffic is not attempted to be encrypted is the crypto ACL on the FPR1010 side correct?

Do you have a NAT exemption rule setup on both devices to ensure traffic is not unintentially translated?

Can you provide the output of "show run crypto" from both devices please?

richyvrlimited · ‎12-19-2022

I have a nonat rule setup on the 1010. For clarity these VPN's are overlayed on top of our corporate network for 3rd parties to run on, the typical 'inside' 'outside' are flipped, the VPN runs across the inside interface. All traffic from the outside is VPN'd to the headend 5505 then routed out to the internet.

nat (outside,inside) source static NETWORK_OBJ_172.16.3.0_24 NETWORK_OBJ_172.16.3.0_24 no-proxy-arp

relevant crypto config below, I've sanitised the peer addresses.

FPR1010

crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256_SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256_SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map0 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map0 1 set ikev2 ipsec-proposal AES256_SHA1
crypto map outside_map0 interface outside
crypto ikev2 policy 1
encryption aes
integrity sha256 sha
group 5
prf sha256 sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 21 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha256
group 14 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable inside

5505

crypto ipsec ikev2 ipsec-proposal AES_SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map L2L-VPN 10 set peer yyy.yyy.yyy.yyy
crypto map L2L-VPN 10 set ikev2 ipsec-proposal AES_SHA
crypto map L2L-VPN interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable inside

Thank you

Rob Ingram · ‎12-19-2022

@richyvrlimited on the FPR1010 ikev2 is enabled on the inside interface - "crypto ikev2 enable inside" but the crypto map is enabled on the outside interface - "crypto map outside_map0 interface outside". Change accordingly.

richyvrlimited · ‎12-20-2022

@Rob Ingram Thank you so much, I don't know how I missed such a simple config error.