Re: IKEv2 Session Drops with 'Process Delete Request from Peer' FLEXVP

illznn · ‎12-26-2024

Hello Cisco Community,

I am facing an issue with my Cisco ISR4331 router when attempting to establish an IKEv2/IPsec VPN connection (windows client anyconnect). After entering the login credentials, the session abruptly drops with the error:

IKEv2:(SESSION ID = X, SA ID = Y): Process delete request from peer

Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Process delete request from peer
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xB21A1971F9A72019 RSPI: 0xD4B671E5BCC66C25]
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Check for existing active SA
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Delete all IKE SAs
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Deleting SA
Dec 26 09:59:14.937: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007FDA18896A80

Dec 26 2024 09:59:14.937 EET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer ****PEER-IP-ADDRESS****:55976 Id: *$AnyConnectClient$*
Dec 26 09:59:14.939: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 26 09:59:14.939: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6305
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) delete SA with spi 0xE73AAD25 proto 50 for ****ISR-IP-ADDRESS****
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (delete_sa) deleting SA,

illznn · ‎12-26-2024

config:

ip local pool FLEX_POOL 10.130.18.11 10.130.18.15
ip access-list standard split_tunnel
permit 10.130.0.0. 0.0.255.255

crypto ikev2 authorization policy FLEXVPN_AUTHOR_POLICY
pool FLEX_POOL
route set access-list split_tunnel

crypto ikev2 proposal PROP1_FOR_FLEX
encryption aes-cbc-256
integrity sha256
group 14

crypto ikev2 policy IKEv2_POL_FOR_FLEX
proposal PROP1_FOR_FLEX

crypto ipsec transform-set TSET_FOR_FLEX esp-aes 256 esp-sha256-hmac
mode tunnel

crypto ikev2 profile FLEX_IKEv2_PROF
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint FlexVPN-TP-CS1
aaa authentication anyconnect-eap A_EAP_AUTHEN_LOCAL_LIST
aaa authorization group anyconnect-eap list A_EAP_AUTHOR_LOCAL_LIST FLEXVPN_AUTHOR_POLICY
aaa authorization user anyconnect-eap cached
virtual-template 100

crypto ipsec profile FLEX_IPSEC_PROF
set transform-set TSET_FOR_FLEX
set ikev2-profile FLEX_IKEv2_PROF

interface virtual-template 100 type tunnel
ip unnumbered GigabitEthernet0/0/1.673
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEX_IPSEC_PROF

aaa authentication login A_EAP_AUTHEN_LOCAL_LIST local
aaa authorization network A_EAP_AUTHOR_LOCAL_LIST local
no crypto ikev2 http-url cert

Any help would be appreciated

MHM Cisco World · ‎12-26-2024

ip unnumbered GigabitEthernet0/0/1.673 <<- if this subinterface is used by client to establish flexvpn? If yes use LO as unnumbered IP of virtual template instead.

MHM

illznn · ‎12-26-2024

You mean loopback0 ? If so, it didn't work.

interface virtual-template 100 type tunnel
ip unnumbered Loopback0

MHM Cisco World · ‎12-26-2024

 anyconnect profile acvpn <<- under ikev2 profile which point to profile the user must use, this profile must add as xml to OS of user

illznn · ‎12-26-2024

Yes, I have already edited the profile using Anyconnect profile editor and specified the host for the connection, IPSec protocol and it is used.

MHM Cisco World · ‎12-26-2024

I will send you PM

Thanks

MHM

Rob Ingram · ‎12-26-2024

@illznn has this ever worked or is this a new configuration you are attempting to get working?

What firmware version is the ISR 4331 running? On older versions local authentication was not supported.

Does the Windows clients trust the identity certificate the router uses for local authentication? Also, the certificate cannot be self-signed, though you can create a CA on the router an enrol the router to itself.

illznn · ‎12-27-2024

Cisco IOS XE Software, Version 17.05.01a
Cisco IOS Software [Bengaluru], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.5.1a, RELEASE SOFTWARE (fc3)

Yes, this is a new configuration (now we use easyvpn and need to migrate) and I have a working traspoint, I get the certificate and the first phase is initialized and the tunnel is up. After entering the login/password this happens. Then I see in the logs that the client is initializing the tunnel deletion, here is how it looks like.

Dec 26 09:59:14.908: IPSEC:(SESSION ID = 60) (create_sa) sa created,
(sa) sa_dest= ****PEER-IP-ADDRESS****, sa_proto= 50,
sa_spi= 0x124AFF43(306904899),
sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 2646
sa_lifetime(k/sec)= (4608000/86400),
(identity) local= ****ISR-IP-ADDRESS****:0, remote= ****PEER-IP-ADDRESS****:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 10.130.18.13/255.255.255.255/256/0
Dec 26 09:59:14.921: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV4 route from ACL for ****PEER-IP-ADDRESS****
Dec 26 09:59:14.922: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access2
Dec 26 09:59:14.922: IPSEC(rte_mgr): VPN Route Added 10.130.18.13 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 1
Dec 26 09:59:14.922: IKEv2:(SESSION ID = 60,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Dec 26 2024 09:59:14.922 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):Checking for duplicate IKEv2 SA
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):No duplicate IKEv2 SA found
Dec 26 09:59:14.926: IKEv2:(SESSION ID = 60,SA ID = 1):Starting timer (8 sec) to delete negotiation context

Dec 26 09:59:14.934: IKEv2:(SESSION ID = 60,SA ID = 1):Received Packet [From ****PEER-IP-ADDRESS****:55976/To ****ISR-IP-ADDRESS****:4500/VRF i0:f0]
Initiator SPI : B21A1971F9A72019 - Responder SPI : D4B671E5BCC66C25 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE NOTIFY(DELETE_REASON)

Dec 26 09:59:14.935: IKEv2:(SESSION ID = 60,SA ID = 1):Building packet for encryption.

Dec 26 09:59:14.936: IKEv2:(SESSION ID = 60,SA ID = 1):Sending Packet [To ****PEER-IP-ADDRESS****:55976/From ****ISR-IP-ADDRESS****:4500/VRF i0:f0]
Initiator SPI : B21A1971F9A72019 - Responder SPI : D4B671E5BCC66C25 Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Process delete request from peer
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xB21A1971F9A72019 RSPI: 0xD4B671E5BCC66C25]
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Check for existing active SA
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Delete all IKE SAs
Dec 26 09:59:14.937: IKEv2:(SESSION ID = 60,SA ID = 1):Deleting SA
Dec 26 09:59:14.937: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007FDA18896A80

Dec 26 2024 09:59:14.937 EET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer ****PEER-IP-ADDRESS****:55976 Id: *$AnyConnectClient$*
Dec 26 09:59:14.939: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 26 09:59:14.939: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6305
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) rec'd delete notify from ISAKMP
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (key_engine_delete_sas) delete SA with spi 0xE73AAD25 proto 50 for ****ISR-IP-ADDRESS****
Dec 26 09:59:14.939: IPSEC:(SESSION ID = 60) (delete_sa) deleting SA,

IKEv2 Session Drops with 'Process Delete Request from Peer' FLEXVPN