Solved: IKEv2 Negotiation aborted due to ERROR: Failed find a matching policy

joandwifi · ‎03-17-2024

I have a problem with the ipsec tunnel with Huawei equipment.
The tunnel goes up, works for a while, but then it collapses.
In the logs, I see a policy error, however, on the ASA side, I have other tunnels established, all working, but I can't understand what the problem is.

Info:

show vpn-sessiondb l2l filter ipaddress "huawei"

Session Type: LAN-to-LAN

Connection : DefaultL2LGroup

Index : 204123 IP Addr : huawei

Protocol : IKEv2 IPsec

Encryption : IKEv2: (1)AES256 IPsec: (10)AES256

Hashing : IKEv2: (1)SHA256 IPsec: (10)SHA256

Bytes Tx : 101492094966 Bytes Rx : 9650906125

Login Time : 17:46:04 BRT Fri Mar 15 2024

Duration : 6h:34m:28s

Depuração:

IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057b
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1403, Requests can be accepted from range 1404 to 1404
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57b
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057A CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57a

IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7b 00 00 00 50 29 00 00 34 | . %....{...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
2c fa 77 12 61 ce dc 7f d0 d2 e2 f9 3c 58 32 98 | ,.w.a.....<X2.
IKEv2-PROTO-7: (13746): Request has mess_id 1403; expected 1404 through 1404

IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash

IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1403
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1403, length: 80

IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 24 08 00 00 05 7c 00 00 01 80 29 00 01 64 | . $....|....)..d
9f cb 8f 89 d5 47 59 bf f7 1f 02 b3 79 f6 f1 6d | .....GY.....y..m
ee 52 20 61 8c a6 60 b8 f2 80 0c b3 1d 20 4d dd | .R a..`...... M.
1a a9 d1 5f 9f e2 8e 8d d0 92 ea 4e e0 1a e4 78 | ..._.......N...x
32 b8 eb 66 9c 88 5c 5a 2e 5a 6b 14 69 4b 90 ce | 2..f..\Z.Zk.iK..
03 7b f5 eb 5e cd 36 f4 cf 2c 95 b3 aa c6 9d 61 | .{..^.6..,.....a
19 6b 0b 60 05 83 fe 38 41 3b 6b 47 08 79 bd 63 | .k.`...8A;kG.y.c
97 b9 9e 6d 71 10 b8 89 52 47 8e 66 0b 0d d5 a3 | ...mq...RG.f....
e1 ac ef 54 87 31 35 16 a6 0c 1b 5e 4e 31 1c ac | ...T.15....^N1..
0a 9c 5d 50 82 2b 8b 36 57 14 01 7f 4f bb a3 a7 | ..]P.+.6W.O...
51 fa 33 1c 08 32 cc 37 11 2c f8 8a b2 fb 14 de | Q.3..2.7.,......
d8 7a 54 9a 7e ec b8 f8 e4 c2 9a 0f 22 47 c4 ed | .zT.~......."G..
56 38 b1 62 5c d9 58 94 c3 69 b5 67 51 e6 6a 11 | V8.b\.X..i.gQ.j.
40 19 e7 b6 81 e4 2f 68 9d 49 62 29 37 1b c1 39 | @...../h.Ib)7..9
4a ca bd 5f 63 1c 76 0f 38 95 e7 98 20 1e 8b 96 | J.._c.v.8... ...
67 3e cb e5 82 36 4e 68 75 d0 d8 72 38 42 11 da | g>...6Nhu..r8B..
23 5c 5c 2b 73 98 62 56 b8 72 6f 5e 6c 9b e3 96 | #\\+s.bV.ro^l...
c9 12 6a cd 82 a6 0f d1 6c 64 65 e5 52 3e c0 c8 | ..j.....lde.R>..
db 85 87 b3 be e7 96 df 0b 17 a7 ed 08 43 76 f4 | .............Cv.
17 8e 67 6d 44 0e 77 38 df 2f 1b 28 48 60 60 a1 | ..gmD.w8./.(H``.
6e 4a 5f a3 db 7d dc 8a 09 0f 17 59 d2 f4 d7 fc | nJ_..}.....Y....
63 37 12 18 61 c4 e0 69 90 2a 42 c9 b4 ea 42 c7 | c7..a..i.*B...B.
c8 d6 3e b3 b7 b7 a2 9f 01 be cc a1 5a a8 3b b6 | ..>.........Z.;.
IKEv2-PROTO-7: (13746): Request has mess_id 1404; expected 1404 through 1404

(13746):
IKEv2-PROTO-4: (13746): Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
(13746): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (13746): Message id: 1404, length: 384(13746):
Payload contents:
(13746):
(13746): Decrypted packet:(13746): Data: 384 bytes
IKEv2-PLAT-4: (13746): Decrypt success status returned via ipc 1
(13746): REAL Decrypted packet:(13746): Data: 312 bytes
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: READY Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (13746): Validating create child message
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
IKEv2-PROTO-4: (13746): Check for create child response message type
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
IKEv2-PROTO-4: (13746): Processing CREATE_CHILD_SA exchange
IKEv2-PLAT-4: (13746): Crypto Map: no match on map outside_vpn seq 1. remote selector not allowed to be ANY
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Received Policies:
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Expected Policies:
IKEv2-PROTO-7: (13746): Failed to verify the proposed policies
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-4: (13746): Sending no proposal chosen notify
IKEv2-PROTO-4: (13746): Building packet for encryption.
(13746):
Payload contents:
(13746): NOTIFY(NO_PROPOSAL_CHOSEN)(13746): Next payload: NONE, reserved: 0x0, length: 8
(13746): Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_NO_EVENT
IKEv2-PROTO-7: (13746): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PLAT-4: (13746): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_IPSEC Event: EV_TRYSEND
(13746):
IKEv2-PROTO-4: (13746): Sending Packet [To "x.x.Huawei":500/From "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
(13746): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (13746): Message id: 1404, length: 80(13746):
Payload contents:
(13746): ENCR(13746): Next payload: NOTIFY, reserved: 0x0, length: 52
(13746): Encrypted data: 48 bytes
(13746):
IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057c
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1404, Requests can be accepted from range 1405 to 1405
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57c
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057B CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57b

IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7c 00 00 00 50 29 00 00 34 | . %....|...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
52 ab 7f 42 30 d6 02 b5 31 72 e3 f8 d6 4d 16 a0 | RB0...1r...M..
IKEv2-PROTO-7: (13746): Request has mess_id 1404; expected 1405 through 1405

IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash

IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1404
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1404, length: 80IKEv2-PROTO-7: (13746): Restarting DPD timer 20 secs

IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 24 08 00 00 05 7d 00 00 01 80 29 00 01 64 | . $....}....)..d
9f cb 8f 89 d5 47 59 bf f7 1f 02 b3 79 f6 f1 6d | .....GY.....y..m
ee 52 20 61 8c a6 60 b8 f2 80 0c b3 1d 20 4d dd | .R a..`...... M.
c6 32 e2 21 13 49 d4 12 55 0d 33 59 b4 60 19 e6 | .2.!.I..U.3Y.`..
3c 3c 58 c5 29 10 0d 06 37 ce c9 bb 66 18 9b 80 | <<X.)...7...f...
2c c8 d7 cf e8 36 3f 78 5d 91 5d ed f6 d4 4d d1 | ,....6?x].]...M.
fa 7a f5 9d 8c ba bb 69 22 ce a7 34 79 84 5f f4 | .z.....i"..4y._.
f8 92 9c 33 92 11 31 47 d9 61 cd e3 fe 0e de 1c | ...3..1G.a......
a2 e6 43 41 92 cf 88 b9 b3 0e 8b 2e 12 98 ae b0 | ..CA............
bb 42 5c 27 51 dc 44 1c a1 51 f6 7c 93 ba 73 e8 | .B\'Q.D..Q.|..s.
01 5a 9c af 90 3e 22 83 7e 9e e9 5a 1a 20 ee 37 | .Z...>".~..Z. .7
5c 0d 84 0c c5 37 c4 55 3c ee 3b 94 a4 8e 5d 13 | \....7.U<.;...].
5c fb da 74 7c b3 a5 43 53 02 d7 b8 89 b9 9c 01 | \..t|..CS.......
a9 b6 f4 6a 4c 80 72 48 32 3d 12 2e 7f 47 e3 4a | ...jL.rH2=.G.J
ac 78 67 bd e8 c8 ed 9e fb 33 73 11 24 65 22 5d | .xg......3s.$e"]
e9 fa 2c 26 22 bc da e2 c8 8d fa d2 3c 33 db 23 | ..,&".......<3.#
dd 27 7a 5a f9 5a 54 6c 0b da 28 56 50 f1 95 4a | .'zZ.ZTl..(VP..J
ca 35 cb 0c 57 5f 58 8a 8d 66 ef 73 cf 1f 9a 1a | .5..W_X..f.s....
2d 35 75 cd 22 df b7 3a d3 d8 e0 d8 1d 7c 99 46 | -5u."..:.....|.F
f1 26 72 04 5f 07 d2 c7 60 3d b8 e0 fc 98 b4 72 | .&r._...`=.....r
84 5b c9 a5 53 5a 74 84 88 35 9d 36 54 17 94 64 | .[..SZt..5.6T..d
09 66 2e a5 c1 df 13 09 76 02 b2 eb 02 9d 34 af | .f......v.....4.
a5 fe d2 26 dd 51 9b a2 da 74 2a e4 17 f7 b9 06 | ...&.Q...t*.....
IKEv2-PROTO-7: (13746): Request has mess_id 1405; expected 1405 through 1405

(13746):
IKEv2-PROTO-4: (13746): Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
(13746): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (13746): Message id: 1405, length: 384(13746):
Payload contents:
(13746):
(13746): Decrypted packet:(13746): Data: 384 bytes
IKEv2-PLAT-4: (13746): Decrypt success status returned via ipc 1
(13746): REAL Decrypted packet:(13746): Data: 312 bytes
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: READY Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (13746): Validating create child message
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
IKEv2-PROTO-4: (13746): Check for create child response message type
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
IKEv2-PROTO-4: (13746): Processing CREATE_CHILD_SA exchange
IKEv2-PLAT-4: (13746): Crypto Map: no match on map outside_vpn seq 1. remote selector not allowed to be ANY
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Received Policies:
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-2: (13746): Expected Policies:
IKEv2-PROTO-7: (13746): Failed to verify the proposed policies
IKEv2-PROTO-2: (13746): Failed to find a matching policy
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-4: (13746): Sending no proposal chosen notify
IKEv2-PROTO-4: (13746): Building packet for encryption.
(13746):
Payload contents:
(13746): NOTIFY(NO_PROPOSAL_CHOSEN)(13746): Next payload: NONE, reserved: 0x0, length: 8
(13746): Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_NO_EVENT
IKEv2-PROTO-7: (13746): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PLAT-4: (13746): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (13746): Action: Action_Null
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_IPSEC Event: EV_TRYSEND
(13746):
IKEv2-PROTO-4: (13746): Sending Packet [To "x.x.Huawei":500/From "x.x.ASA":500/VRF i0:f0]
(13746): Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
(13746): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-5: (13746): Next payload: ENCR, version: 2.0 (13746): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (13746): Message id: 1405, length: 80(13746):
Payload contents:
(13746): ENCR(13746): Next payload: NOTIFY, reserved: 0x0, length: 52
(13746): Encrypted data: 48 bytes
(13746):
IKEv2-PLAT-5: (13746): SENT PKT [CREATE_CHILD_SA] ["x.x.ASA"]:500->["x.x.Huawei"]:500 InitSPI=0x381d660d41a6c10d RespSPI=0x2bf1b3e66a5e09b2 MID=0000057d
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-2: (13746): Create child exchange failed
IKEv2-PROTO-4: (13746): IPSec SA create failed
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (13746): Sent response with message id 1405, Requests can be accepted from range 1406 to 1406
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057D CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (13746): Abort exchange
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57d
IKEv2-PROTO-7: (13746): SM Trace-> SA: I_SPI=381D660D41A6C10D R_SPI=2BF1B3E66A5E09B2 (R) MsgID = 0000057C CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (13746): Deleting negotiation context for peer message ID: 0x57c

IKEv2 Recv RAW packet dump
38 1d 66 0d 41 a6 c1 0d 2b f1 b3 e6 6a 5e 09 b2 | 8.f.A...+...j^..
2e 20 25 08 00 00 05 7d 00 00 00 50 29 00 00 34 | . %....}...P)..4
c5 04 c5 97 d9 21 83 d5 1c a0 c4 1f 2e 21 cf 40 | .....!.......!.@
60 86 9c 0a 8c 17 ce 57 bc 44 ec 18 a6 ff 15 69 | `......W.D.....i
d8 a4 51 a1 64 fe be 5b 0c 72 c5 8d 29 4a 5f b2 | ..Q.d..[.r..)J_.
IKEv2-PROTO-7: (13746): Request has mess_id 1405; expected 1406 through 1406

IKEv2-PROTO-2: (13746): Failed to calculate packet hash
IKEv2-PROTO-2: (13746): Failed to calculate packet hash

IKEv2-PROTO-4: Received Packet [From "x.x.Huawei":500/To "x.x.ASA":500/VRF i0:f0]
Initiator SPI : 381D660D41A6C10D - Responder SPI : 2BF1B3E66A5E09B2 Message id: 1405
IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1405, length: 80

Any suggestions as to what might be happening?

MHM Cisco World · ‎03-17-2024

I run lab two case
Case1
the ASA (run dynamic) with remote R3 use ACL from 20.0.0.0 to 5.0.0.0 (behind ASA) and it work

Case2
the ASA (run dynamic) with remote R3 with ACL from 0.0.0.0 to 5.0.0.0 (behind ASA) and it NOT WORK

so your issue is Huawei use ACL with 0.0.0.0 as remote LAN.

View solution in original post

MHM Cisco World · ‎03-17-2024

show crypto session
show crypto ikev2 sa detail
show crypto ikev2 ipsec sa

share output of above

MHM

joandwifi · ‎03-17-2024

Hello @MHM Cisco World

Unfortunately the "show crypto session" command did not work

ASAR/vpn# show crypto session
^
ERROR: % Invalid input detected at '^' marker.
ASA/vpn# show crypto ?

accelerator Show accelerator operational data
ca Show certification authority policy
debug-condition Show crypto debug filters
ikev1 Show IKEv1 operational data
ikev2 Show IKEv2 operational data
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
ssl Show ssl information

------------------------------------------

ASA/vpn# show crypto ikev2 sa de

IKEv2 SAs:

Session-id:491968, Status:UP-ACTIVE, IKE count:1, CHILD count:10

Tunnel-id Local Remote Status Role
2130608063 *ASA*/500 *huawei*/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/9480 sec
Session-id: 491968
Status Description: Negotiation done
Local spi: EB21FCF0FA9ED48D Remote spi: 98EB4F7793AFD319
Local id: ASA
Remote id: Huawei

Local req mess id: 36 Remote req mess id: 1095
Local next mess id: 36 Remote next mess id: 1095
Local req queued: 36 Remote req queued: 1095
Local window: 1 Remote window: 30
DPD configured for 20 seconds, retry 6
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.118.246.80/0 - 10.118.246.95/65535
ESP spi in/out: 0xe9b20504/0x1b5c7ad4
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.225.87.32/0 - 10.225.87.47/65535
ESP spi in/out: 0xe972d49a/0x8a2a5ba
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x3054f585/0x9dfa554d
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.176/0 - 10.122.236.183/65535
ESP spi in/out: 0xaafc8914/0x52f33efb
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.168/0 - 10.122.236.175/65535
ESP spi in/out: 0x93a2d42d/0xfbf26901
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.184/0 - 10.122.236.191/65535
ESP spi in/out: 0x625d0db7/0x57c0acf2
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.122.236.160/0 - 10.122.236.167/65535
ESP spi in/out: 0x7c0b0c40/0xcd6fc577
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.161.0.56/0 - 10.161.0.56/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x6cbe13c8/0xf1576e43
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.220.32.128/0 - 10.220.32.159/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0xf0bd82ab/0x88892d90
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector 10.116.0.32/0 - 10.116.0.32/65535
remote selector 10.230.198.52/0 - 10.230.198.52/65535
ESP spi in/out: 0x6e85b485/0x46138ee4
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

-------------------------------------------------

SA/vpn# show crypto ipsec sa
interface: outside
Crypto map tag: outside_vpn, seq num: 1, local addr: "x.x.ASA"

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.225.87.32/255.255.255.240/0/0)
current_peer: "x.x.Huawei"

#pkts encaps: 8463, #pkts encrypt: 8463, #pkts digest: 8463
#pkts decaps: 8675, #pkts decrypt: 8675, #pkts verify: 8675
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8463, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: "x.x.ASA"/500, remote crypto endpt.: "x.x.Huawei"/500
path mtu 1472, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 08A2A5BA
current inbound spi : E972D49A

inbound esp sas:
spi: 0xE972D49A (3916616858)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 84289
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0x7FFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x08A2A5BA (144876986)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 205942, crypto-map: outside_vpn
sa timing: remaining key lifetime (sec): 84289
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000 0x00000000 0x00000000