12-13-2019 10:22 AM
We have a client that we are moving from a policy based to route-based l2l IPsec VPN. The tunnel will come up but during a rekey attempt the tunnel will stop passing traffic. We see the following message in our Cisco firewall log.
%ASA-4-750003: Local:x.x.x.x:500 Remote:y.y.y.y:500 Username:y.y.y.y IKEv2 Negotiation aborted due to ERROR: Create child exchange failed
To get traffic flowing again, we have to reset the tunnel at both ends.
The platform the client is using is a Versa 810 FlexVNF. We are running 9.9(2)32 code. We have verified that all parameters match. A connection to a ASA at this same client site doesn't have any issues.
Any ideas what to look at?
02-24-2020 03:32 AM
I am seeing a similar issue with a VPN to Azure.
%ASA-4-750003: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 Negotiation aborted due to ERROR: Platform errors
02-24-2020 09:20 AM
can you run the debug command and share the output.
logging buffered debugging
logging buffer-size 2034678
!
capture VPN type isakmp interface outside match ip host (your outside ip-add) host x.x.x.x (remote-peer-ip)
!
debug crypto condition peer x.x.x.x
debug crypto ipsec 127
debug crypto ikev2 platform 127
debug crypto ikev2 protocol 127
!
03-10-2021 06:36 AM
any update?
10-01-2022 08:16 AM
Our problem was resolved with a careful inspection of the match ACL's on both ends of the tunnel. In our case, overlapping subnets were causing a problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide