03-17-2024 08:12 AM
I have a problem with the ipsec tunnel with Huawei equipment.
The tunnel goes up, works for a while, but then it collapses.
In the logs, I see a policy error, however, on the ASA side, I have other tunnels established, all working, but I can't understand what the problem is.
Info:
show vpn-sessiondb l2l filter ipaddress "huawei"
Session Type: LAN-to-LAN
Connection : DefaultL2LGroup
Index : 204123 IP Addr : huawei
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (10)AES256
Hashing : IKEv2: (1)SHA256 IPsec: (10)SHA256
Bytes Tx : 101492094966 Bytes Rx : 9650906125
Login Time : 17:46:04 BRT Fri Mar 15 2024
Duration : 6h:34m:28s
Depuração:
IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057b
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1403, Requests can be accepted from range 1404 to 1404
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57b
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057A CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57a
IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7b 00 00 00 50 29 00 00 34 | . %....{...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
2c fa 77 12 61 ce dc 7f d0 d2 e2 f9 3c 58 32 98 | ,.w.a.....<X2.
IKEv2-PROTO-7: (13746): Request has mess_id 1403; expected 1404 through 1404
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1403
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1403, length: 80
IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 24 08 00 00 05 7c 00 00 01 80 29 00 01 64 | . $....|....)..d
9f cb 8f 89 d5 47 59 bf f7 1f 02 b3 79 f6 f1 6d | .....GY.....y..m
ee 52 20 61 8c a6 60 b8 f2 80 0c b3 1d 20 4d dd | .R a..`...... M.
1a a9 d1 5f 9f e2 8e 8d d0 92 ea 4e e0 1a e4 78 | ..._.......N...x
32 b8 eb 66 9c 88 5c 5a 2e 5a 6b 14 69 4b 90 ce | 2..f..\Z.Zk.iK..
03 7b f5 eb 5e cd 36 f4 cf 2c 95 b3 aa c6 9d 61 | .{..^.6..,.....a
19 6b 0b 60 05 83 fe 38 41 3b 6b 47 08 79 bd 63 | .k.`...8A;kG.y.c
97 b9 9e 6d 71 10 b8 89 52 47 8e 66 0b 0d d5 a3 | ...mq...RG.f....
e1 ac ef 54 87 31 35 16 a6 0c 1b 5e 4e 31 1c ac | ...T.15....^N1..
0a 9c 5d 50 82 2b 8b 36 57 14 01 7f 4f bb a3 a7 | ..]P.+.6W.O...
51 fa 33 1c 08 32 cc 37 11 2c f8 8a b2 fb 14 de | Q.3..2.7.,......
d8 7a 54 9a 7e ec b8 f8 e4 c2 9a 0f 22 47 c4 ed | .zT.~......."G..
56 38 b1 62 5c d9 58 94 c3 69 b5 67 51 e6 6a 11 | V8.b\.X..i.gQ.j.
40 19 e7 b6 81 e4 2f 68 9d 49 62 29 37 1b c1 39 | @...../h.Ib)7..9
4a ca bd 5f 63 1c 76 0f 38 95 e7 98 20 1e 8b 96 | J.._c.v.8... ...
67 3e cb e5 82 36 4e 68 75 d0 d8 72 38 42 11 da | g>...6Nhu..r8B..
23 5c 5c 2b 73 98 62 56 b8 72 6f 5e 6c 9b e3 96 | #\\+s.bV.ro^l...
c9 12 6a cd 82 a6 0f d1 6c 64 65 e5 52 3e c0 c8 | ..j.....lde.R>..
db 85 87 b3 be e7 96 df 0b 17 a7 ed 08 43 76 f4 | .............Cv.
17 8e 67 6d 44 0e 77 38 df 2f 1b 28 48 60 60 a1 | ..gmD.w8./.(H``.
6e 4a 5f a3 db 7d dc 8a 09 0f 17 59 d2 f4 d7 fc | nJ_..}.....Y....
63 37 12 18 61 c4 e0 69 90 2a 42 c9 b4 ea 42 c7 | c7..a..i.*B...B.
c8 d6 3e b3 b7 b7 a2 9f 01 be cc a1 5a a8 3b b6 | ..>.........Z.;.
IKEv2-PROTO-7: (13746): Request has mess_id 1404; expected 1404 through 1404
(13746):
IKEv2-PROTO-4: (13746): Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
(13746): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (13746): Message id: 1404, length: 384(13746):
Payload contents:
(13746):
(13746): Decrypted packet:(13746): Data: 384 bytes
IKEv2-PLAT-4: (13746): Decrypt success status returned via ipc 1
(13746): REAL Decrypted packet:(13746): Data: 312 bytes
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: READY Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (13746): Validating create child message
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
IKEv2-PROTO-4: (13746): Check for create child response message type
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
IKEv2-PROTO-4: (13746): Processing CREATE_CHILD_SA exchange
IKEv2-PLAT-4: (13746): Crypto Map: no match on map outside_vpn seq 1. remote selector not allowed to be ANY
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Received Policies:
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Expected Policies:
IKEv2-PROTO-7: (13746): Failed to verify the proposed policies
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-4: (13746): Sending no proposal chosen notify
IKEv2-PROTO-4: (13746): Building packet for encryption.
(13746):
Payload contents:
(13746): NOTIFY(NO_PROPOSAL_CHOSEN)(13746): Next payload: NONE, reserved: 0x0, length: 8
(13746): Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_NO_EVENT
IKEv2-PROTO-7: (13746): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PLAT-4: (13746): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_TRYSEND
(13746):
IKEv2-PROTO-4: (13746): Sending Packet [To "x.x.Huawei":500/From "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
(13746): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (13746): Message id: 1404, length: 80(13746):
Payload contents:
(13746): ENCR(13746): Next payload: NOTIFY, reserved: 0x0, length: 52
(13746): Encrypted data: 48 bytes
(13746):
IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057c
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1404, Requests can be accepted from range 1405 to 1405
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57c
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57b
IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7c 00 00 00 50 29 00 00 34 | . %....|...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
52 ab 7f 42 30 d6 02 b5 31 72 e3 f8 d6 4d 16 a0 | RB0...1r...M..
IKEv2-PROTO-7: (13746): Request has mess_id 1404; expected 1405 through 1405
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1404, length: 80IKEv2-PROTO-7: (13746): Restarting DPD timer 20 secs
IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 24 08 00 00 05 7d 00 00 01 80 29 00 01 64 | . $....}....)..d
9f cb 8f 89 d5 47 59 bf f7 1f 02 b3 79 f6 f1 6d | .....GY.....y..m
ee 52 20 61 8c a6 60 b8 f2 80 0c b3 1d 20 4d dd | .R a..`...... M.
c6 32 e2 21 13 49 d4 12 55 0d 33 59 b4 60 19 e6 | .2.!.I..U.3Y.`..
3c 3c 58 c5 29 10 0d 06 37 ce c9 bb 66 18 9b 80 | <<X.)...7...f...
2c c8 d7 cf e8 36 3f 78 5d 91 5d ed f6 d4 4d d1 | ,....6?x].]...M.
fa 7a f5 9d 8c ba bb 69 22 ce a7 34 79 84 5f f4 | .z.....i"..4y._.
f8 92 9c 33 92 11 31 47 d9 61 cd e3 fe 0e de 1c | ...3..1G.a......
a2 e6 43 41 92 cf 88 b9 b3 0e 8b 2e 12 98 ae b0 | ..CA............
bb 42 5c 27 51 dc 44 1c a1 51 f6 7c 93 ba 73 e8 | .B\'Q.D..Q.|..s.
01 5a 9c af 90 3e 22 83 7e 9e e9 5a 1a 20 ee 37 | .Z...>".~..Z. .7
5c 0d 84 0c c5 37 c4 55 3c ee 3b 94 a4 8e 5d 13 | \....7.U<.;...].
5c fb da 74 7c b3 a5 43 53 02 d7 b8 89 b9 9c 01 | \..t|..CS.......
a9 b6 f4 6a 4c 80 72 48 32 3d 12 2e 7f 47 e3 4a | ...jL.rH2=.G.J
ac 78 67 bd e8 c8 ed 9e fb 33 73 11 24 65 22 5d | .xg......3s.$e"]
e9 fa 2c 26 22 bc da e2 c8 8d fa d2 3c 33 db 23 | ..,&".......<3.#
dd 27 7a 5a f9 5a 54 6c 0b da 28 56 50 f1 95 4a | .'zZ.ZTl..(VP..J
ca 35 cb 0c 57 5f 58 8a 8d 66 ef 73 cf 1f 9a 1a | .5..W_X..f.s....
2d 35 75 cd 22 df b7 3a d3 d8 e0 d8 1d 7c 99 46 | -5u."..:.....|.F
f1 26 72 04 5f 07 d2 c7 60 3d b8 e0 fc 98 b4 72 | .&r._...`=.....r
84 5b c9 a5 53 5a 74 84 88 35 9d 36 54 17 94 64 | .[..SZt..5.6T..d
09 66 2e a5 c1 df 13 09 76 02 b2 eb 02 9d 34 af | .f......v.....4.
a5 fe d2 26 dd 51 9b a2 da 74 2a e4 17 f7 b9 06 | ...&.Q...t*.....
IKEv2-PROTO-7: (13746): Request has mess_id 1405; expected 1405 through 1405
(13746):
IKEv2-PROTO-4: (13746): Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
(13746): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (13746): Message id: 1405, length: 384(13746):
Payload contents:
(13746):
(13746): Decrypted packet:(13746): Data: 384 bytes
IKEv2-PLAT-4: (13746): Decrypt success status returned via ipc 1
(13746): REAL Decrypted packet:(13746): Data: 312 bytes
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: READY Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (13746): Validating create child message
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
IKEv2-PROTO-4: (13746): Check for create child response message type
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
IKEv2-PROTO-4: (13746): Processing CREATE_CHILD_SA exchange
IKEv2-PLAT-4: (13746): Crypto Map: no match on map outside_vpn seq 1. remote selector not allowed to be ANY
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Received Policies:
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Expected Policies:
IKEv2-PROTO-7: (13746): Failed to verify the proposed policies
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-4: (13746): Sending no proposal chosen notify
IKEv2-PROTO-4: (13746): Building packet for encryption.
(13746):
Payload contents:
(13746): NOTIFY(NO_PROPOSAL_CHOSEN)(13746): Next payload: NONE, reserved: 0x0, length: 8
(13746): Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_NO_EVENT
IKEv2-PROTO-7: (13746): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PLAT-4: (13746): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_TRYSEND
(13746):
IKEv2-PROTO-4: (13746): Sending Packet [To "x.x.Huawei":500/From "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
(13746): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (13746): Message id: 1405, length: 80(13746):
Payload contents:
(13746): ENCR(13746): Next payload: NOTIFY, reserved: 0x0, length: 52
(13746): Encrypted data: 48 bytes
(13746):
IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057d
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1405, Requests can be accepted from range 1406 to 1406
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57d
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57c
IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7d 00 00 00 50 29 00 00 34 | . %....}...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
d8 a4 51 a1 64 fe be 5b 0c 72 c5 8d 29 4a 5f b2 | ..Q.d..[.r..)J_.
IKEv2-PROTO-7: (13746): Request has mess_id 1405; expected 1406 through 1406
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1405, length: 80
Any suggestions as to what might be happening?
Solved! Go to Solution.
03-17-2024 01:44 PM
I run lab two case
Case1
the ASA (run dynamic) with remote R3 use ACL from 20.0.0.0 to 5.0.0.0 (behind ASA) and it work
Case2
the ASA (run dynamic) with remote R3 with ACL from 0.0.0.0 to 5.0.0.0 (behind ASA) and it NOT WORK
so your issue is Huawei use ACL with 0.0.0.0 as remote LAN.
03-17-2024 08:22 AM
show crypto session
show crypto ikev2 sa detail
show crypto ikev2 ipsec sa
share output of above
MHM
03-17-2024 09:11 AM - edited 03-17-2024 09:12 AM
Hello @MHM Cisco World
Unfortunately the "show crypto session" command did not work
ASAR/vpn# show crypto session
^
ERROR: % Invalid input detected at '^' marker.
ASA/vpn# show crypto ?
accelerator Show accelerator operational data
ca Show certification authority policy
debug-condition Show crypto debug filters
ikev1 Show IKEv1 operational data
ikev2 Show IKEv2 operational data
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
ssl Show ssl information
------------------------------------------
ASA/vpn# show crypto ikev2 sa de
IKEv2 SAs:
Session-id:491968, Status:UP-ACTIVE, IKE count:1, CHILD count:10
Tunnel-id Local Remote Status Role
2130608063 *ASA*/500 *huawei*/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/9480 sec
Session-id: 491968
Status Description: Negotiation done
Local spi: EB21FCF0FA9ED48D Remote spi: 98EB4F7793AFD319
Local id: ASA
Remote id: Huawei
Local req mess id: 36 Remote req mess id: 1095
Local next mess id: 36 Remote next mess id: 1095
Local req queued: 36 Remote req queued: 1095
Local window: 1 Remote window: 30
DPD configured for 20 seconds, retry 6
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.118.246.80/0 - 10.118.246.95/65535
ESP spi in/out: 0xe9b20504/0x1b5c7ad4
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.225.87.32/0 - 10.225.87.47/65535
ESP spi in/out: 0xe972d49a/0x8a2a5ba
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x3054f585/0x9dfa554d
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.176/0 - 10.122.236.183/65535
ESP spi in/out: 0xaafc8914/0x52f33efb
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.168/0 - 10.122.236.175/65535
ESP spi in/out: 0x93a2d42d/0xfbf26901
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.184/0 - 10.122.236.191/65535
ESP spi in/out: 0x625d0db7/0x57c0acf2
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.160/0 - 10.122.236.167/65535
ESP spi in/out: 0x7c0b0c40/0xcd6fc577
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.161.0.56/0 - 10.161.0.56/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x6cbe13c8/0xf1576e43
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.220.32.128/0 - 10.220.32.159/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0xf0bd82ab/0x88892d90
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.116.0.32/0 - 10.116.0.32/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x6e85b485/0x46138ee4
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
-------------------------------------------------
SA/vpn# show crypto ipsec sa
interface: outside
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.225.87.32/255.255.255.240/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 8463, #pkts encrypt: 8463, #pkts digest: 8463
#pkts decaps: 8675, #pkts decrypt: 8675, #pkts verify: 8675
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8463, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 08A2A5BA
current inbound spi : E972D49A
inbound esp sas:
spi: 0xE972D49A (3916616858)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 84289
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0x7FFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x08A2A5BA (144876986)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 84289
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.118.246.80/255.255.255.240/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 26711565, #pkts encrypt: 35555630, #pkts digest: 35555630
#pkts decaps: 11106017, #pkts decrypt: 11106017, #pkts verify: 11106017
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26711565, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 8773666, #pre-frag failures: 1191, #fragments created: 17547332
#PMTUs sent: 1191, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 205
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2A3EABD0
current inbound spi : B5065D5F
inbound esp sas:
spi: 0xB5065D5F (3037093215)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 86340
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2A3EABD0 (708750288)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 86339
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.122.236.168/255.255.255.248/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 2414, #pkts encrypt: 2414, #pkts digest: 2414
#pkts decaps: 3044, #pkts decrypt: 3044, #pkts verify: 3044
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2414, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FBF26901
current inbound spi : 93A2D42D
inbound esp sas:
spi: 0x93A2D42D (2476921901)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83964
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFBE7FFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00003FFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0xFBF26901 (4226967809)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83963
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.122.236.184/255.255.255.248/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 2362, #pkts encrypt: 2362, #pkts digest: 2362
#pkts decaps: 2968, #pkts decrypt: 2968, #pkts verify: 2968
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2362, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 57C0ACF2
current inbound spi : 625D0DB7
inbound esp sas:
spi: 0x625D0DB7 (1650265527)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83957
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x0000000F 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0x57C0ACF2 (1472244978)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83955
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.230.198.52/255.255.255.255/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 4511, #pkts encrypt: 4511, #pkts digest: 4511
#pkts decaps: 8604, #pkts decrypt: 8604, #pkts verify: 8604
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4511, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 9DFA554D
current inbound spi : 3054F585
inbound esp sas:
spi: 0x3054F585 (810874245)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83969
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFEFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFBFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9DFA554D (2650428749)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83968
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.122.236.160/255.255.255.248/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 2395, #pkts encrypt: 2395, #pkts digest: 2395
#pkts decaps: 3036, #pkts decrypt: 3036, #pkts verify: 3036
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2395, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CD6FC577
current inbound spi : 7C0B0C40
inbound esp sas:
spi: 0x7C0B0C40 (2081098816)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83949
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00007FFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0xCD6FC577 (3446654327)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83948
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.122.236.176/255.255.255.248/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 2336, #pkts encrypt: 2336, #pkts digest: 2336
#pkts decaps: 2979, #pkts decrypt: 2979, #pkts verify: 2979
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2336, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 52F33EFB
current inbound spi : AAFC8914
inbound esp sas:
spi: 0xAAFC8914 (2868676884)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83956
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xBFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x0000003F 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0x52F33EFB (1391673083)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83955
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (10.116.0.32/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.230.198.52/255.255.255.255/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3325, #pkts decrypt: 3325, #pkts verify: 3325
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 46138EE4
current inbound spi : 6E85B485
inbound esp sas:
spi: 0x6E85B485 (1854256261)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83930
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x000000FF 0xFFFFFFEF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0x46138EE4 (1175686884)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83930
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (10.161.0.56/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.230.198.52/255.255.255.255/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3307, #pkts decrypt: 3307, #pkts verify: 3307
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F1576E43
current inbound spi : 6CBE13C8
inbound esp sas:
spi: 0x6CBE13C8 (1824396232)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83938
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFEFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000007 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
outbound esp sas:
spi: 0xF1576E43 (4049038915)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83938
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"
local ident (addr/mask/prot/port): (10.220.32.128/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.230.198.52/255.255.255.255/0/0)
current_peer: "x.x.Huawei"
#pkts encaps: 9716, #pkts encrypt: 9716, #pkts digest: 9716
#pkts decaps: 9757, #pkts decrypt: 9757, #pkts verify: 9757
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9716, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 88892D90
current inbound spi : F0BD82AB
inbound esp sas:
spi: 0xF0BD82AB (4038951595)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83932
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFF7F 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x88892D90 (2290691472)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 83932
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
03-17-2024 09:38 AM
Are you run VTI or Crypto map between two Peer?
can I see ACL you use if you use Crypto map ?
03-17-2024 09:03 AM
IKEv2-PROTO-4: (13746): Processing CREATE_CHILD_SA exchange
IKEv2-PLAT-4: (13746): Crypto Map: no match on map outside_vpn seq 1. remote selector not allowed to be ANY
Most likely a misconfiguration. It appears that crypto ACLs do not match between peers
03-17-2024 09:55 AM
Hello @MHM Cisco World and @tvotna We use dynamic crypto-map:
ASA/vpn# show run access-list
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit ip any4 any4
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
ASA/vpn# show run | inc outside_vpn
crypto dynamic-map outside_vpn 1 set pfs group2
crypto dynamic-map outside_vpn 1 set ikev2 ipsec-proposal secure
crypto dynamic-map outside_vpn 1 set security-association lifetime seconds 86400
crypto dynamic-map outside_vpn 1 set reverse-route
crypto map mymap 65000 ipsec-isakmp dynamic outside_vpn
Could it be an error in the proposal, or specifically in the ACL configuration on the other side?
03-17-2024 10:02 AM
Yes I guess that but I was need to be sure, the dynamic map accept any selector.
but I think there is something eles
ASA/vpn# show run | inc mymap <<- share this
thanks
MHM
03-17-2024 10:24 AM
Ok @MHM Cisco World The issue is that it is only with this client, and I have no support from Huawei.
ASA/vpn# show run | in mymap
crypto map mymap 65000 ipsec-isakmp dynamic outside_vpn
crypto map mymap interface outside
03-17-2024 01:44 PM
I run lab two case
Case1
the ASA (run dynamic) with remote R3 use ACL from 20.0.0.0 to 5.0.0.0 (behind ASA) and it work
Case2
the ASA (run dynamic) with remote R3 with ACL from 0.0.0.0 to 5.0.0.0 (behind ASA) and it NOT WORK
so your issue is Huawei use ACL with 0.0.0.0 as remote LAN.
03-17-2024 02:08 PM
Excellent, thanks for testing.
I will request Huawei's ACL settings for and who it is targeting as a remote peer.
03-17-2024 02:12 PM
you are so so welcome
can you please update me reply of Huawei
goodluck
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide