Re: IKEv2 Negotiation aborted due to ERROR: Create child exchange fail

lwoods2 · ‎12-13-2019

We have a client that we are moving from a policy based to route-based l2l IPsec VPN. The tunnel will come up but during a rekey attempt the tunnel will stop passing traffic. We see the following message in our Cisco firewall log.

%ASA-4-750003: Local:x.x.x.x:500 Remote:y.y.y.y:500 Username:y.y.y.y IKEv2 Negotiation aborted due to ERROR: Create child exchange failed

To get traffic flowing again, we have to reset the tunnel at both ends.

The platform the client is using is a Versa 810 FlexVNF. We are running 9.9(2)32 code. We have verified that all parameters match. A connection to a ASA at this same client site doesn't have any issues.

Any ideas what to look at?

ADASupport · ‎02-24-2020

I am seeing a similar issue with a VPN to Azure.

%ASA-4-750003: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:x.x.x.x IKEv2 Negotiation aborted due to ERROR: Platform errors

Sheraz.Salim · ‎02-24-2020

can you run the debug command and share the output.

logging buffered debugging
logging buffer-size 2034678

!

capture VPN type isakmp interface outside match ip host (your outside ip-add) host x.x.x.x (remote-peer-ip)

!

debug crypto condition peer x.x.x.x

debug crypto ipsec 127

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

!

please do not forget to rate.

peter.matuska1 · ‎03-10-2021

any update?

spjeffgricus · ‎10-01-2022

Our problem was resolved with a careful inspection of the match ACL's on both ends of the tunnel. In our case, overlapping subnets were causing a problem.