05-10-2024 12:15 AM
Hi,
I'm getting strange issues when I cannot bring up the tunnel between Cisco Router and Palo Alto FW,
On Cisco router side I'm getting this on debug IKEv2:
==================================================================
*May 10 06:34:55.253: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 3,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:34:55.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:34:55.261: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:34:55.261: IKEv2:% Matched peer block 'palo'
*May 10 06:34:55.262: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:34:55.263: IKEv2:Found Policy 'PRIMARY'
*May 10 06:34:55.270: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:25.254: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 4,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:35:25.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:35:25.260: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:35:25.261: IKEv2:% Matched peer block 'palo'
*May 10 06:35:25.261: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:35:25.262: IKEv2:Found Policy 'PRIMARY'
*May 10 06:35:25.268: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:34.021: IKEv2-ERROR:Couldn't find matching SA: Negotiating limit reached, deny SA request
*May 10 06:35:34.022: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 192.168.1.2:500/To 192.168.1.1:500/VRF i0:f0]
Initiator SPI : 981433F14FD6564B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*May 10 06:35:34.023: IKEv2-ERROR:: A supplied parameter is incorrect
=============================================================================
Cisco WAN IP: 192.168.1.1 Cisco Tunnel IP: 10.1.227.1
Palo Alto WAN side: 192.168.1.2 Cisco Tunnel IP: 10.1.227.2
On Palo side its default policy, no restrictions in terms of policies
Basically here is my configuration for Cisco Side (I'm also attatching screenshots of Palo Alto configuration below in attached messages)
==========================================================================
crypo ikev2 proposal PRIMARY
encryption 3des
integrity sha1
group 5
crypto ikev2 policy PRIMARY
proposal PRIMARY
crypto ikev2 keyring PRIMARY
peer palo
address 192.168.1.2 255.255.255.0
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile PRIMARY
match address local 192.168.1.1
match identity remote address 192.168.1.2 255.255.255.0
authentication local pre-share
authentication remote pre-share
keyring local PRIMARY
lifetime 28800
crypto ipsec transform-set PRIMARY esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile PRIMARY
set security-association lifetime seconds 28800
set transform-set PRIMARY
set ikev2-profile PRIMARY
interface Vlan1000
ip address 192.168.1.1 255.255.255.0
end
fusion_1#show run int tu1000
Building configuration...
Current configuration : 191 bytes
!
interface Tunnel1000
ip address 10.1.227.1 255.255.255.252
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 192.168.1.2
tunnel protection ipsec profile PRIMARY
end
ip route 0.0.0.0 0.0.0.0 192.168.1.2
=======================================================================
What I'm doing wrong here? Thanks in advance
Solved! Go to Solution.
05-17-2024 02:24 AM
05-10-2024 12:16 AM
Attached Palo Alto side config's
05-12-2024 12:00 PM
Show crypto ikev2 sa
Show crypto session
Show crypto call admission
Share all of above
MHM
05-12-2024 11:46 PM
test_sw#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Sta
1 172.16.1.1/500 172.16.1.2/500 none/none IN-
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Un0
Life/Active Time: 0/0 sec
IPv6 Crypto IKEv2 SA
=====================================================================
test_sw#Show crypto session
Crypto session current status
Interface: Tunnel1
Profile: TEST
Session status: DOWN-NEGOTIATING
Peer: 172.16.1.2 port 500
Session ID: 1
IKEv2 SA: local 172.16.1.1/500 remote 172.16.1.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
=========================================================
test_sw#Show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
test_sw#
05-13-2024 12:25 AM
https://community.cisco.com/t5/vpn/crypto-ikev2-stuck-in-neg-state-maximum-number-of/td-p/4697594
Check this' I think it is bug
MHM
05-13-2024 03:45 AM
Getting also this logs:
*May 13 10:35:33.216: IKEv2-ERROR:Couldn't find matching SA: Negotiating limit reached, deny SA request
*May 13 10:35:33.216: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 1F10AEE226A43450 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*May 13 10:35:33.218: IKEv2-ERROR:: A supplied parameter is incorrect
*May 13 10:35:35.044: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 10:35:35.044: IKEv2:% Matched peer block 'palo'
*May 13 10:35:35.045: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 10:35:35.045: IKEv2:Found Policy 'TEST'
*May 13 10:35:35.050: IKEv2:SA is already in negotiation, hence not negotiating again
Will check your link
05-13-2024 04:28 AM
Just checked "sh monitor event-trace crypto ikev2 error all"
Seeing this:
*May 13 11:26:03.763: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:03.765: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:03.767: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:03.769: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:36.909: SA ID:0 SESSION ID:0 Remote: UNKNOWN/832 IVRF/FVRF:
32768/84 INVALID SESSION found.
: Error encountered while
navigating State Machine
*May 13 11:26:41.649: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.650: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.651: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.657: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.660: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.661: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.662: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.666: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.668: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.670: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
*May 13 11:26:41.672: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP
05-13-2024 05:18 AM
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
Did you check this bug
We need to solve max SA first.
The max SA as you share is zero' this is bug
MHM
05-13-2024 05:35 AM
It seems you at least need to either enable PFS on both sides or disable it on both sides. Currently PFS is disabled on Cisco ("set pfs ..." is absent in the IPsec profile) and enabled on Palo Alto (IPSec Crypto Profile is configured with group5). To disable PFS on PA it should be configured as "no-pfs", so far as I remember.
Monitor event-trace diagnostics is really confusing, so there might be also something else which prevents successful negotiation.
05-13-2024 10:33 AM
I actually have it, just forgot to add in here, still the same problem
05-13-2024 10:50 AM
Do
crypto call admission limit ike in-negotiation-sa <limit>
Then share debug again let see what else error appear
MHM
05-13-2024 11:59 AM
crypto call admission limit ike in-negotiation-sa 500
test_sw#
command has been added, debug:
*May 13 18:52:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:52:22.485: IKEv2:% Matched peer block 'palo'
*May 13 18:52:22.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:52:22.486: IKEv2:Found Policy 'TEST'
*May 13 18:52:22.491: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:52:33.625: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 13 18:52:33.629: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 13 18:52:52.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:52:52.486: IKEv2:% Matched peer block 'palo'
*May 13 18:52:52.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:52:52.487: IKEv2:Found Policy 'TEST'
*May 13 18:52:52.492: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:53:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:53:22.486: IKEv2:% Matched peer block 'palo'
*May 13 18:53:22.487: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:53:22.487: IKEv2:Found Policy 'TEST'
*May 13 18:53:22.493: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:53:33.074: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 13 18:53:33.077: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 13 18:53:52.486: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:53:52.487: IKEv2:% Matched peer block 'palo'
*May 13 18:53:52.487: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:53:52.488: IKEv2:Found Policy 'TEST'
*May 13 18:53:52.496: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:54:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:54:22.485: IKEv2:% Matched peer block 'palo'
*May 13 18:54:22.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:54:22.488: IKEv2:Found Policy 'TEST'
*May 13 18:54:22.496: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:54:32.571: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
05-13-2024 01:14 PM
Above command and the bug mentioned are for IKEv1. You use IKEv2. IKEv2 Call Admission Control is configured with:
crypto ikev2 limit {max-in-negotation-sa <limit> | max-sa <limit>}
and verified with
show crypto ikev2 stats
if I remember correctly. Did this tunnel ever work? Did you try "clear crypto session" or reloading the router? There is a bug CSCvd69373, but I personally don't believe it matches. It requires fragmentation of IKEv2 packets, which should not happen in case of PSK. On the other hand, this looks very much like a stuck session entry.
05-14-2024 12:13 AM
Added
crypto ikev2 limit max-in-negotation-sa 500
crypto ikev2 limit max-sa 500
Reloaded, cleared crypto getting the debugs below, tunnel is down still:
*May 14 07:08:52.335: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 07:09:14.352: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:09:14.352: IKEv2:% Matched peer block 'palo'
*May 14 07:09:14.353: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:09:14.354: IKEv2:Found Policy 'TEST'
*May 14 07:09:14.360: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 07:09:31.940: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : B64253718680F2EA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 07:09:31.944: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 07:09:44.351: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:09:44.351: IKEv2:% Matched peer block 'palo'
*May 14 07:09:44.352: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:09:44.352: IKEv2:Found Policy 'TEST'
*May 14 07:09:44.359: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 07:10:14.352: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:10:14.353: IKEv2:% Matched peer block 'palo'
*May 14 07:10:14.354: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:10:14.355: IKEv2:Found Policy 'TEST'
*May 14 07:10:14.364: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 07:10:31.283: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : B64253718680F2EA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N
*May 14 07:10:31.290: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
05-14-2024 12:13 AM
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 500 Max in nego(in/out): 500/400
Total incoming IKEv2 SA Count: 21 active: 0 negotiating: 21
Total outgoing IKEv2 SA Count: 1 active: 0 negotiating: 1
Incoming IKEv2 Requests: 21 accepted: 21 rejected: 0
Outgoing IKEv2 Requests: 1 accepted: 1 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide