Re: IKEV2 site to site failing - Error in retrieving config mode data

Madura Malwatte · ‎11-12-2019

I am trying to set up site to site IKEV2 tunnel between ISR 4351 and ASA.

When I do debug crypto ikev2 protocol 255, I can see there is a problem:

"IKEv2-PROTO-2: (1629): Error in retrieving config mode data to send".

Here are the full debug logs from ASA, any idea why this is happening and what I should verify in terms of the config?

IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-2: (1629): Stopping timer to wait for auth message
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
IKEv2-PROTO-2: (1629): Checking NAT discovery
IKEv2-PROTO-2: (1629): NAT not found
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-5: (1629): Received valid parameteres in process id
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-2: (1629): Searching policy based on peer's identity '1.1.1.1' of type 'IPv4 address'
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_SET_POLICY
IKEv2-PROTO-5: (1629): Setting configured policies
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-2: (1629): Verify peer's policy
IKEv2-PROTO-2: (1629): Peer's policy verified
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_AUTH4EAP
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_POLREQEAP
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-2: (1629): Get peer's authentication method
IKEv2-PROTO-2: (1629): Peer's authentication method is 'PSK'
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-2: (1629): Get peer's preshared key for 1.1.1.1
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-2: (1629): Verify peer's authentication data
IKEv2-PROTO-2: (1629): Use preshared key for id 1.1.1.1, key len 9
IKEv2-PROTO-2: (1629): Verification of peer's authenctication data PASSED
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-2: (1629): Processing INITIAL_CONTACT
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_REDIRECT
IKEv2-PROTO-5: (1629): Redirect check is not needed, skipping it
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-2: (1629): Received valid config mode data
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_SET_RECD_CONFIG_MODE
IKEv2-PROTO-2: (1629): Set received config mode data
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-2: (1629): Error in retrieving config mode data to send
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_GET_CONFIG
IKEv2-PROTO-2: (1629): Error in retrieving config mode data to send
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-2: (1629): Auth exchange failed
IKEv2-PROTO-1: (1629): Auth exchange failed
IKEv2-PROTO-1: (1629): Auth exchange failed
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (1629): SM Trace-> SA: I_SPI=40868BF350644E46 R_SPI=00EA4816EBFBA013 (R) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (1629): Abort exchange
IKEv2-PROTO-2: (1629): Deleting SA
IKEv2-PROTO-5: Couldn't find matching SA
IKEv2-PROTO-1: Detected an invalid IKE SPI
IKEv2-PROTO-1: Couldn't find matching SA

IKEv2-PROTO-2: Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 40868BF350644E46 - Responder SPI : 00EA4816EBFBA013 Message id: 1
IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 624IKEv2-PROTO-1: A supplied parameter is incorrect
IKEv2-PROTO-1:
IKEv2-PROTO-5: (1628): SM Trace-> SA: I_SPI=60AA71FA412FBB34 R_SPI=56A349267EEC1886 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RE_XMT
IKEv2-PROTO-2: (1628): Retransmitting packet
(1628):
IKEv2-PROTO-2: (1628): Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
(1628): Initiator SPI : 60AA71FA412FBB34 - Responder SPI : 56A349267EEC1886 Message id: 1
(1628): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: (1628): Next payload: ENCR, version: 2.0 (1628): Exchange type: IKE_AUTH, flags: INITIATOR (1628): Message id: 1, length: 352(1628):
Payload contents:
(1628): ENCR(1628): Next payload: VID, reserved: 0x0, length: 324
(1628): Encrypted data: 320 bytes
(1628):
IKEv2-PROTO-5: (1628): SM Trace-> SA: I_SPI=60AA71FA412FBB34 R_SPI=56A349267EEC1886 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-5: Couldn't find matching SA
IKEv2-PROTO-1: Detected an invalid IKE SPI
IKEv2-PROTO-1: Couldn't find matching SA

IKEv2-PROTO-2: Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
Initiator SPI : 40868BF350644E46 - Responder SPI : 00EA4816EBFBA013 Message id: 1
IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-3: Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 624IKEv2-PROTO-1: A supplied parameter is incorrect
IKEv2-PROTO-1:

awk5303 · ‎11-08-2023

There is a hidden configuration command underneath your IKEv2 profile that you could give a try (not on ASA but on the IOS router):

crypto ikev2 profile <YOUR IKEv2 PROFILE FOR THE L2L Tunnel>
no config-exchange request

IKEV2 site to site failing - Error in retrieving config mode data to send