cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4391
Views
5
Helpful
3
Replies

IKEv2 GCM "IKE SA delete request reason: unknown"

seefarrun
Level 1
Level 1

I'm adding this in case anyone has to go through the same joy I have for the last day and a half and can't find an answer.

I was setting up a new IKEv2 VPN with a Virtual Tunnel Interface on an ASA running 9.8.4.x.  I was using aes-gcm-256 as encryption for both phases and the documentation from the other peer specified using SHA256 as the integrity.  When I set up my IKEv2 policy as per below it would not allow me to set the integrity to anything but null, which was fine.

 

crypto ikev2 policy 8
 encryption aes-gcm-256
 group 19
 prf sha256
 lifetime seconds 86400

When I set up my new ipsec policy it warned me that integrity wouldn't be used but took the config anyway and I must have missed / ignored the warnings:

 

 

myfirewall(config)# crypto ipsec ikev2 ipsec-proposal set-5
myfirewall(config-ipsec-proposal)#  protocol esp encryption aes-gcm-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored
myfirewall(config-ipsec-proposal)#  protocol esp integrity sha-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored

myfirewall# show run | beg ipsec-proposal set-5
crypto ipsec ikev2 ipsec-proposal set-5
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-256

It wouldn't form the tunnel and going through the Cisco debug doco, it seems like it formed Phase 1 (CONNECTION STATUS: REGISTERED) but when it came to form Phase 2 (the Child portion) it was just committing suicide and deleting the SA.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

The only thing in there was a log saying "Queuing IKE SA delete request reason: unknown" which wasn't that useful:

 

IKEv2-PLAT-2: (824): idle timeout set to: 30
IKEv2-PLAT-2: (824): session timeout set to: 0
IKEv2-PLAT-2: (824): group policy set to x.x.x.x
IKEv2-PLAT-2: (824): class attr set
IKEv2-PLAT-2: (824): tunnel protocol set to: 0x40
IKEv2-PLAT-2: (824): IPv4 filter ID not configured for connection
IKEv2-PLAT-2: (824): group lock set to: none
IKEv2-PLAT-2: (824): IPv6 filter ID not configured for connection
IKEv2-PLAT-2: (824): connection attribues set valid to TRUE
IKEv2-PLAT-2: (824): Successfully retrieved conn attrs
IKEv2-PLAT-2: (824): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-2: (824): connection auth hdl set to -1
IKEv2-PLAT-2:
CONNECTION STATUS: REGISTERED... peer: x.x.x.x:500, phase1_id: x.x.x.x
IKEv2-PROTO-2: (824): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-2: mib_index set to: 501
IKEv2-PROTO-2: (824): Checking for duplicate IKEv2 SA
IKEv2-PROTO-2: (824): No duplicate IKEv2 SA found
IKEv2-PROTO-2: (824): Queuing IKE SA delete request reason: unknown

I couldn't find any other useful debugs and after reading through the configuration guide i saw all the bits about CGM not needing integrity.  I set my ipsec proposal to null and it came up straight away:

crypto ipsec ikev2 ipsec-proposal set-5
 protocol esp encryption aes-gcm-256
 protocol esp integrity null

So hopefully that helps the next guy!

 

 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

Combined mode ciphers support/provide encryption & integrity via the single algorithm.  Glad you figured it out! Thanks for the share

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

Combined mode ciphers support/provide encryption & integrity via the single algorithm.  Glad you figured it out! Thanks for the share

Thanks alot for sharing the solution it helped me to resolve the tunnel down issue 

Thanks for sharing 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: