Re: IKEv2 Negotiation aborted due to ERROR: Create child exchange failed

amir.glibic · ‎02-25-2021

Hi,

every few weeks we have an issue with one VPN tunnel during rekeying. The logs show following message:

%ASA-4-750003: Local:x.x.x.x:500 Remote:y.y.y.y:500 Username:y.y.y.y IKEv2 Negotiation aborted due to ERROR: Create child exchange failed

HW is an ASA 5525-X, running 9.8.4 (26) in Multi-Context Mode.

I can't find any info regarding this message. We've also set the logging to lvl 7, but no additional infos are logged.
An explicit debugging is a bit complex, since the errors occur only once every few weeks.

I'm not sure if this could be related to the remote firewall, which is not a Cisco ASA and not configured by us.

A workaround is to reset the tunnel manually, but some users lose their sessions, so it's a bit annoying.

Any ideas what to change or look for?

Thanks in advance!

MHM Cisco World · ‎02-25-2021

PFS must config in both side of IKEv2 tunnel end.

amir.glibic · ‎02-26-2021

PFS is configured. as mentioned it works 99% of the time.

Rekeying occurs every few hours, the connection is stable for many weeks, but then it suddenly fails during rekeying with this message.

Sheraz.Salim · ‎02-25-2021

Prefect Forward Secrecy is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. with PFS enable, the ASA generatesva new set of keys that are used during the IPSec Phase 2 negotiations. without PFS the
ASA uses Phase 1 keys in the Phase 2 negotiatons. The asa uses DH group 1,2,5 for PFS to generate the keys.

the command is below. however, you need to make sure both end have same PFS value configured on each end.
crypto map outside_map 10 set pfs group 5

please do not forget to rate.

Sheraz.Salim · ‎02-26-2021

could you give us the out put of command "show run all crypto map | i x.x.x.x (x.x.x.x is your remote public peer ip address).

please do not forget to rate.

amir.glibic · ‎02-26-2021

crypto map outside_map 1 match address itraffic-abc-def
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set connection-type bidirectional
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 phase1-mode main
crypto map outside_map 1 set ikev2 mode tunnel
crypto map outside_map 1 set ikev2 ipsec-proposal AES256-SHA256
crypto map outside_map 1 set security-association lifetime seconds 14400
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
no crypto map outside_map 1 set tfc-packets

Sheraz.Salim · ‎02-26-2021

The only thing I can suggest is to change the Security Association Lifetime values. normally, Ipsec security assocation liftetime specifiy when the IPSec peer should renegotiate a new pair of data encrytion keys. if you do not specify the lifetime the default value of 28,800 seconds or 4,275,00 KB. you can set the IPSEC to expire in either 11,400 sec (4 hours) or 2,500,00KB whichever
come fist.

"crypto map outside_map 10 set security-association lifetime kilobytes 250000 seconds 14400"

Lifetime in seconds can veary between 120 and 2,147,483,647 and the lifetime in kilobytes can be range of 10 to 2,147,483,647 KB.

Double check what values are configured on the other end.

please do not forget to rate.

amir.glibic · ‎03-02-2021

sorry, somehow the last 2 lines were cut off during copy and paste.

We already have configured the lifetime as unlimited, since the counterpart requires this.

I've edited my post with the config above and added the missing lines.

I'm not sure if this "unlimited" setting may cause an issue, but the other side says it must be unlimited, otherwise they faced issues in the past.
And lifetime was checked also, it matches definitely.

Not sure what the tfc-packets do, but I don't think that I've ever enabled them...

MHM Cisco World · ‎03-03-2021

Hi,
I read this your reply so I want to clear some point,
Note:-IKEv2 not negotiation the lifetime between two Peer
so ASA have lifetime not expire but the other peer expire then the other peer try to negotiation the new child SA but ASA have unlimited and refuse.
so can you config the other Peer lifetime??

amir.glibic · ‎03-03-2021

Hi,

not sure if you understood correctly:

lifetime seconds 14400 -> on both sides the same

lifetime kilobytes -> not supported on other side, so no default value (will never rekey after a certain amount of data is reached = unlimited)
Therefore we can't leave it on our side to default (4 608 000 KB) or set to some value, but need to set it to "unlimited" in order to work.

So both sides are configured the same (time 14400 and KB "unlimited") and theoretically shouldn't have problems.

MHM Cisco World · ‎03-04-2021

OK, If you sure the KB is unlimited,
check the VPN-Session-Timeout, where cisco recommend to be NONE.

Peter Koltl · ‎03-08-2021

The lifetime seconds values do not have to be equal in IKEv2. Either peer can initiate a key renegotiation. In fact, you should avoid using equal values as the process will start on both sides asynchronously, it is unpredicatable which peer starts it and the peer states might collide.

If one of the peers use shorter lifetime, the renegotiation is always started by that peer. You should test both alternatives and find out which case fails.

I had similar IKEv2 interoperability issues and ASA software upgrade was the solution after long debugging.