cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17108
Views
0
Helpful
10
Replies

IKEV2 IN-NEG ISSUE

billmoise
Level 1
Level 1

The following are the configs for a flexVPN hub/spoke connections.

 

I keep receiving the following error on the spoke

Main-Store#
*Apr 4 20:32:47.513: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX_HUBS) Client_public_addr = 172.16.2.2 Server_public_addr = 172.25.1.2
Main-Store#
*Apr 4 20:35:01.904: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX_HUBS) Client_public_addr = 172.16.2.2 Server_public_addr = 172.25.1.2

 

 

HUB-CONFIG

crypto logging session
!
no crypto ikev2 http-url cert
!
crypto ikev2 proposal FLEX_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy FLEX_POL
proposal FLEX_PROP
match fvrf any
!
crypto ikev2 authorization policy FLEX_AUTH_POL
route set interface
route set access-list 56
def-domain wanlab.wan
!
!
crypto ikev2 profile FLEX_PROF
match identity remote fqdn domain wanlab.wan
identity local fqdn hub.wanlab.wan
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint WANLAB-CA
aaa authorization group cert list default FLEX_AUTH_POL
virtual-template 1
!
crypto ikev2 dpd 30 5 on-demand
!
crypto ipsec transform-set FLEX_TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FLEX_IPSEC
set transform-set FLEX_TS
set pfs group14
set ikev2-profile FLEX_PROF
!
ip access-list standard 56
10 permit 0.0.0.0 0.0.0.0
!
int virtual-template 1 type tunnel
ip unnumbered lo1
ip mtu 1400
ip nhrp network-id 757631
ip nhrp holdtime 200
ip tcp adjust-mss 1360
ip nhrp redirect
tunnel protection ipsec profile FLEX_IPSEC 

!

SPOKE 1 CONFIG

crypto logging session
!
no crypto ikev2 http-url cert
!
crypto ikev2 proposal FLEX_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy FLEX_POL
proposal FLEX_PROP
match fvrf any
!
crypto ikev2 authorization policy FLEX_AUTH_POL
route set interface
route set access-list 56
!
!
crypto ikev2 profile FLEX_PROF
match identity remote fqdn domain wanlab.wan
identity local fqdn main-store.wanlab.wan
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint WANLAB-CA
aaa authorization group cert list default FLEX_AUTH_POL
virtual-template 1
!
crypto ikev2 dpd 30 5 on-demand
!
crypto ipsec transform-set FLEX_TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FLEX_IPSEC
set transform-set FLEX_TS
set pfs group14
set ikev2-profile FLEX_PROF
!
ip access-list standard 56
10 permit 192.168.102.0 0.0.0.255
20 permit 10.19.0.0 0.0.31.255
!
crypto ikev2 client flexvpn FLEX_HUBS
connect auto
client connect tunnel 1
peer 1 172.25.1.2
!
int tunnel 1
ip address 10.1.1.2 255.255.255.0
ip mtu 1400
ip nhrp network-id 757631
ip nhrp holdtime 200
ip tcp adjust-mss 1360
ip nhrp redirect
ip nhrp shortcut virtual-template 1
tunnel source gi0/1
tunnel destination dynamic
tunnel protection ipsec profile FLEX_IPSEC
!
int virtual-template 1 type tunnel
ip unnumbered tu1
ip mtu 1400
ip nhrp network-id 757631
ip nhrp holdtime 200
ip tcp adjust-mss 1360
ip nhrp redirect
ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile FLEX_IPSEC

 

SHOW CMD

 

Main-Store#sh crypto ikev2 sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.2.2/500 172.25.1.2/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
CE id: 1078, Session-id: 0
Status Description: Initiator waiting for AUTH response
Local spi: 25ED8F0CE3392D9E Remote spi: 642C6F4CBEA8106E
Local id: Main-Store.wanlab.wan
Remote id:
Local req msg id: 1 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 1 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

 

HUB#sh crypto ikev2 sa detail
HUB#
HUB#

 

 

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

what is this device models and can you also post show version.

 

if possible run debug and post the negotiations.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,
Is the state NEGOTIATING when you use the command "show crypto ikev2 client flexvpn" on the spoke?

Can you enable the following debugs:-
debug crypto ikev2
debug crypto ikev2 client flexvpn

I assume you can ping the Hub from the spoke and there is no ACL on hub or a FW in front of the Hub blocking traffic?

Attached are the running configs of the HUB and Remote Store. I also attached the debug of "debug crypto ikev2" on the HUB and Remote.

Snip of the topology

 

I noticed in the debug that after the INIT SA passes and the remote is sending the authentication, the HUB is saying it hasn't received it and deletes the session.

From the logs it looks like the remote-store router cannot verify the Hub routers certificate. Can you upload the output of "show crypto pki certificates ver" from both routers please.

 

Remote-Store#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.1.2/500 172.25.1.2/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: Unknown - 0

 

The logs on the Hub do reveal however that it waited 30secs for auth message, which might explain why it failed to verify.

 

*Apr 9 16:44:25.827: IKEv2:(SESSION ID = 6344,SA ID = 1):Starting timer (30 sec) to wait for auth message
HUB#
*Apr 9 16:44:55.828: IKEv2-ERROR:(SESSION ID = 6344,SA ID = 1):: Failed to receive the AUTH msg before the timer expired

 

From the time in the logs it looks like the debugs were from different periods. Can you shutdown the tunnel on the spoke, turn on debugging on both routers and then no shutdown the tunnel interface and wait for the tunnel to fail to establish, upload the debug output from both routers. After the tunnel has failed to build, please also upload the output of "show crypto ikev2 sa detail" from both routers.

 

Make sure the clock on the routers are the same time.

 

It appears you also have another Tunnel interface on the routers, they don't appear to be shutdown. Can you disable temporarily for testing.

Attached is the info for the certs as well as the show command.

 

Thanks

What about re-running the debugs and providing the output?

 

Re-checking your previous logs, from the remote router - it is sending a packet to the HUB but not receiving a response, so is therefore retransmitting. Normally you should expect a "Received Packet....." from the HUB.

 

*Apr 9 16:29:01.032: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0]
Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload cont
Remote-Store#debug crypto ikev2 clienttents:
ENCR

*Apr 9 16:29:02.970: IKEv2:(SESSION ID = 54,SA ID = 1):Retransmitting packet

*Apr 9 16:29:02.971: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 172.25.1.2:500/From 172.16.1.2:500/VRF i0:f0]
Initiator SPI : 82B0E40CF438FC7F - Responder SPI : BF26542482B19789 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

 

Please can you check/disable any ACLs for testing - you will need UDP/500, ESP and if natting UDP/4500.

I re-ran the debug commands on both devices. I have them attached

I see no obvious reason why this will not establish. You could be hitting this bug though https://bst.cloudapps.cisco.com/bugsearch/bug/CSCua90097/?rfs=iqvred

 

What IOS version are you running?

 

Remote-Store#sh crypto ikev2 sa det
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.1.2/500 172.25.1.2/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
CE id: 1086, Session-id: 0
Status Description: Initiator waiting for AUTH response

 

The Cisco page does say "FlexVPN Client" so perhaps instead of using the client configuration for testing on the remote spoke you could change the tunnel destination to "tunnel destination 172.25.1.2" from dynamic.

 

Also, did you shut down the other Tunnel that appeared to be configured on both routers?

 

EDIT:- Please provide the output from both routers

 

show crypto ikev2 stats ext-service
show crypto ikev2 stats exchange detail
show crypto ikev2 stats timeout

 

I uploaded the show commands output, show version output and debug output in the attachments. I shut the other tunnel down on both routers.

amekhanoshin
Level 1
Level 1

Try this, solve me:

 

1) Shutdown tunnels
2) Check ikev2 sa deleted (or clear: clear crypto ikev2 sa remote x.x.x.x )
3) Next (spoke and hub):

#conf t
(config)#crypto ikev2 fragmentation
(config)#exit

 

PS Using fragmentation creates 'Denial of service attack ' attack risks!
PSPS Sorry for my bad english

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: