05-10-2024 12:15 AM
Hi,
I'm getting strange issues when I cannot bring up the tunnel between Cisco Router and Palo Alto FW,
On Cisco router side I'm getting this on debug IKEv2:
==================================================================
*May 10 06:34:55.253: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 3,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:34:55.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:34:55.261: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:34:55.261: IKEv2:% Matched peer block 'palo'
*May 10 06:34:55.262: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:34:55.263: IKEv2:Found Policy 'PRIMARY'
*May 10 06:34:55.270: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:25.254: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 4,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:35:25.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:35:25.260: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:35:25.261: IKEv2:% Matched peer block 'palo'
*May 10 06:35:25.261: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:35:25.262: IKEv2:Found Policy 'PRIMARY'
*May 10 06:35:25.268: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:34.021: IKEv2-ERROR:Couldn't find matching SA: Negotiating limit reached, deny SA request
*May 10 06:35:34.022: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 192.168.1.2:500/To 192.168.1.1:500/VRF i0:f0]
Initiator SPI : 981433F14FD6564B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*May 10 06:35:34.023: IKEv2-ERROR:: A supplied parameter is incorrect
=============================================================================
Cisco WAN IP: 192.168.1.1 Cisco Tunnel IP: 10.1.227.1
Palo Alto WAN side: 192.168.1.2 Cisco Tunnel IP: 10.1.227.2
On Palo side its default policy, no restrictions in terms of policies
Basically here is my configuration for Cisco Side (I'm also attatching screenshots of Palo Alto configuration below in attached messages)
==========================================================================
crypo ikev2 proposal PRIMARY
encryption 3des
integrity sha1
group 5
crypto ikev2 policy PRIMARY
proposal PRIMARY
crypto ikev2 keyring PRIMARY
peer palo
address 192.168.1.2 255.255.255.0
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile PRIMARY
match address local 192.168.1.1
match identity remote address 192.168.1.2 255.255.255.0
authentication local pre-share
authentication remote pre-share
keyring local PRIMARY
lifetime 28800
crypto ipsec transform-set PRIMARY esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile PRIMARY
set security-association lifetime seconds 28800
set transform-set PRIMARY
set ikev2-profile PRIMARY
interface Vlan1000
ip address 192.168.1.1 255.255.255.0
end
fusion_1#show run int tu1000
Building configuration...
Current configuration : 191 bytes
!
interface Tunnel1000
ip address 10.1.227.1 255.255.255.252
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 192.168.1.2
tunnel protection ipsec profile PRIMARY
end
ip route 0.0.0.0 0.0.0.0 192.168.1.2
=======================================================================
What I'm doing wrong here? Thanks in advance
Solved! Go to Solution.
05-14-2024 12:22 AM
Sorry I was think it is ikev1
Anyway
Add below command
Call admission limit 1000
And check again
MHM
05-14-2024 07:49 AM
15.2(CML_NIGHTLY_20180619)FE
Is this lab router in CML?
Also when you run debug ip udp you see only receive there is no send packet ?
MHM
05-14-2024 01:04 AM
crypto ikev2 limit max-in-negotation-sa 500
crypto ikev2 limit max-sa 500
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
Applied, debugs:
*May 14 07:59:29.551: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 07:59:41.314: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:59:41.315: IKEv2:% Matched peer block 'palo'
*May 14 07:59:41.315: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:59:41.316: IKEv2:Found Policy 'TEST'
*May 14 07:59:41.321: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:00:09.223: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2CA986224FA6D6BA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 08:00:09.227: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 08:00:42.251: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 08:00:42.251: IKEv2:% Matched peer block 'palo'
*May 14 08:00:42.252: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 08:00:42.252: IKEv2:Found Policy 'TEST'
*May 14 08:00:42.258: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:01:08.662: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2CA986224FA6D6BA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 08:01:08.665: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 08:01:12.251: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 08:01:12.251: IKEv2:% Matched peer block 'palo'
*May 14 08:01:12.252: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 08:01:12.252: IKEv2:Found Policy 'TEST'
*May 14 08:01:12.259: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:01:42.250: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 08:01:42.250: IKEv2:% Matched peer block 'palo'
*May 14 08:01:42.251: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 08:01:42.251: IKEv2:Found Policy 'TEST'
*May 14 08:01:42.256: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:02:08.167: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2CA986224FA6D6BA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 08:02:08.173: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 08:02:12.255: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 08:02:12.256: IKEv2:% Matched peer block 'palo'
*May 14 08:02:12.257: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 08:02:12.257: IKEv2:Found Policy 'TEST'
*May 14 08:02:12.271: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:02:42.250: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 08:02:42.251: IKEv2:% Matched peer block 'palo'
*May 14 08:02:42.251: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 08:02:42.252: IKEv2:Found Policy 'TEST'
*May 14 08:02:42.258: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 08:03:07.651: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2CA986224FA6D6BA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 08:03:07.654: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
05-14-2024 02:22 AM
@MHM Cisco World, "call admission limit" is a resource manager CLI which is not used to control IKEv2 call admission control.
@Kamran Mustafayev, can you collect debug please when you do the following: 1) shutdown tunnel interface, 2) clear crypto session, 3) no shut the tunnel interface. I'd like to see what happens during the very first IKEv2 negotiation. To be honest, I've never seen anything like this. Perhaps you may need to try another IOS version.
05-14-2024 05:09 AM
Sure,
test_sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
test_sw(config)#int tu1
test_sw(config-if)#shut
test_sw(config-if)#exit
*May 14 12:03:10.659: %LINK-5-CHANGED: Interface Tunnel1, changed state to administratively dowexit
test_sw#cle
test_sw#clear c
*May 14 12:03:12.785: %SYS-5-CONFIG_I: Configured from console by consolery
test_sw#clear crypto session
-----------
Tunnel line remains down, here are the debugs:
*May 14 12:03:52.264: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F06221EC98AA0B96 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:03:52.267: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
test_sw#
test_sw#
*May 14 12:04:55.241: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2A9F9CF590C936A2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:04:55.244: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 12:04:59.722: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2A9F9CF590C936A2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:04:59.726: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
test_sw#
*May 14 12:05:09.633: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2A9F9CF590C936A2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:05:09.639: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
05-14-2024 02:36 AM
Now we solve issue of ikev2 limit session and resource limit.
Now
The nego already run
When you do
Show crypto session
test_sw#Show crypto session
Crypto session current status
Interface: Tunnel1
Profile: TEST
Session status: DOWN-NEGOTIATING
Peer: 172.16.1.2 port 500
Session ID: 1
IKEv2 SA: local 172.16.1.1/500 remote 172.16.1.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
That meaning the ikev2 phaseI is not run correctly
So
1- what is IOS router you use and it ios ver.
2- do debug ip udp
See if there is send receive packet udp 500 between router and palo
Waiting your reply
Thanks
MHM
05-14-2024 05:12 AM
1 - IoS version Version 15.2(CML_NIGHTLY_20180619)FE, on Palo Side: 9..0.0
Debug IP UDP:
test_sw#
*May 14 12:07:08.471: UDP: rcvd src=172.16.1.2(500), dst=172.16.1.1(500), length=252
*May 14 12:07:08.473: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2A9F9CF590C936A2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:07:08.478: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
test_sw#
test_sw#
*May 14 12:07:31.995: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 12:07:31.996: IKEv2:% Matched peer block 'palo'
*May 14 12:07:31.996: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 12:07:31.996: IKEv2:Found Policy 'TEST'
*May 14 12:07:32.004: IKEv2:SA is already in negotiation, hence not negotiating again
test_sw#
*May 14 12:08:01.995: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 12:08:01.996: IKEv2:% Matched peer block 'palo'
*May 14 12:08:01.996: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 12:08:01.997: IKEv2:Found Policy 'TEST'
*May 14 12:08:02.002: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 12:08:07.936: UDP: rcvd src=172.16.1.2(500), dst=172.16.1.1(500), length=252
*May 14 12:08:07.939: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 2A9F9CF590C936A2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 12:08:07.946: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
05-14-2024 06:10 AM
This doesn't look like a regular IOS version. To me it looks more like a nightly build. Do you know anything about origin of this file? Anyway, I'd try another one.
05-14-2024 10:05 PM
Thing is that it works fine when connected to Cisco i.e. Cisco <> Cisco
But failing with Palo Alto
05-15-2024 12:17 AM - edited 05-15-2024 12:27 AM
you dont answer us
is it LAB or real router
MHM
05-15-2024 01:42 AM
Yes, it is a LAB environment in EVE-NG
05-15-2024 02:55 AM
Can you confirm if you can ping palo from ios router ?
Maybe you missing routing and that make ios router can not reply to palo
MHM
05-15-2024 05:31 AM
Yes I can ping Palo from Cisco router, there are directly connected to each other
05-15-2024 08:59 AM
that perfect
debug crypto ikev2 error
debug crypto ikev2 packet
share the output of both debug but notice not run both in same time
run first one command wait to get some debug then disable it and run second one
waiting your reply
MHM
05-15-2024 06:29 AM
it is a LAB environment, I'm testing staff before rolling it out to production
Have you faced such behaviour due to IOS version? Cause I have all commands and functionality on this version
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide