I am puzzled about what is

Mohamed ELHAIDI · ‎11-14-2015

hi,

we encounter a problemon a IPsec VPN (ikev2) with Certificat on Firewall ASA, it remains up for 5 seconds and then Delet IKE SA.

NB: the IPsec VPN ikev2 is between a the Firewall ASA and a Firewall FortIgate.

On the ASA Side we have :

IKEv2-PLAT-3: (7483): SENT PKT [IKE_AUTH] [172.21.176.1]:500->[10.7.3.28]:500 InitSPI=0xc8dbf4ef45acf4e0 RespSPI=0xe74e994ac120cf35 MID=00000001
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-5: (7483): Action: Action_Null
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-5: (7483): Closing the PKI session
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-2: (7483): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PROTO-2: (7483): Session with IKE ID PAIR (e=agouzoza@eurafric-information.com,cn=10.7.3.28,ou=Security,l=XX Siege,c=XX, cn=FWMutualisation1.XXXXX,ou=XXXX,o=XXX,l=XXXX,c=XXXX) is UP
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-2: (7483): connection auth hdl set to 1204
IKEv2-PLAT-2: (7483): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-2: (7483):
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-2: (7483): idle timeout set to: 30
IKEv2-PLAT-2: (7483): session timeout set to: 0
IKEv2-PLAT-2: (7483): group policy set to GroupePolicy_10.7.3.28
IKEv2-PLAT-2: (7483): class attr set
IKEv2-PLAT-2: (7483): tunnel protocol set to: 0x40
IKEv2-PLAT-2: (7483): IPv4 filter ID not configured for connection
IKEv2-PLAT-2: (7483): group lock set to: none
IKEv2-PLAT-2: (7483): IPv6 filter ID not configured for connection
IKEv2-PLAT-2: (7483): connection attribues set valid to TRUE
IKEv2-PLAT-2: (7483): Successfully retrieved conn attrs
IKEv2-PLAT-2: (7483): Session registration after conn attr retrieval PASSED, No error
IKEv2-PROTO-2: (7483): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-2: (7483): Load IPSEC key material
IKEv2-PLAT-2: (7483): Base MTU get: 0
IKEv2-PLAT-2: (7483): Base MTU get: 0
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-2: (7483): Checking for duplicate IKEv2 SA
IKEv2-PROTO-2: (7483): No duplicate IKEv2 SA found
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK
IKEv2-PROTO-2: (7483): Starting timer (8 sec) to delete negotiation context
IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT

on the other Firewall (FortiGate) we have this Log:

ike 0:MON-SYSBD:2817: initiator received AUTH msg
ike 0:MON-SYSBD:2817: received peer identifier DER_ASN1_DN, CN='FWMutualisation1.domain.X'
ike 0:MON-SYSBD:2817: peer certificate not received
ike 0:MON-SYSBD:2817: certificate validation failed
ike 0:MON-SYSBD:2817: auth verify done
ike 0:MON-SYSBD:2817: initiator AUTH continuation
ike 0:MON-SYSBD:2817: authentication failed
ike 0:MON-SYSBD:2817: schedule delete of IKE SA 2e63d347bb247f75/9b9f04e2d6d89f7f
ike 0:MON-SYSBD:2817: scheduled delete of IKE SA 2e63d347bb247f75/9b9f04e2d6d89f7f
ike 0:MON-SYSBD: connection expiring due to phase1 down
ike 0:MON-SYSBD: deleting
ike 0:MON-SYSBD: flushing
ike 0:MON-SYSBD: flushed
ike 0:MON-SYSBD: deleted

So not going as smoothly as hoped. Any suggestions gladly received!

rvarelac · ‎11-14-2015

Hi Mohamed,

Is there any chance to change the authentication to pre-shared keys ? If the tunnel remain up with this configuration it may indicate a problem with the certificates or with the fragmentation on the middle.

Hope it helps

-Randy-

Mohamed ELHAIDI · ‎11-15-2015

Hi,

Thank you for your update,

We had the vpn ipsec ikev1 with the same trustpoint function correctlty.

I will use the PSK to test again, But can you show me how can i dectect and fix the fragmentation Issue ?

BR

Mohamed ELHAIDI · ‎11-15-2015

Enclosed a screenshoot of a Traffic capture on ASA side.
The capture shows the Ike_Auth exchange

Richard Burts · ‎11-16-2015

I am puzzled about what is going on. In the original post I see this

IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started

which seems to indicate that IKE negotiation was successful. But apparently the other side of the VPN is reporting an error. Is it possible that more than one VPN is configured and that this output is related to a different connection?

The screen shot seems to show a process that is repeated over and over in which negotiation starts and gets a response, a second message and response, and then something sent which is fragmented, and then the process starts over again. That does suggest that there could be a problem in sending the certificate and getting fragmented.

HTH

Rick

HTH

Rick

IKEv2 issue