- Cisco Community
- Technology and Support
- Security
- VPN
- ikev2 VPN tunnel trouble shooting help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2024 11:29 PM
Howdy Cisco Community!
Need your help as fairly new trouble shooting site to site VPN connectivity.
I am unable to establish VPN connectivity per information below.
Site:1
crypto ipsec ikev2 ipsec-proposal CSM_IP_1
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CSM_Outside_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_Outside_map 1 set peer 2xxxxx
crypto map CSM_Outside_map 1 set ikev2 ipsec-proposal CSM_IP_1
crypto map CSM_Outside_map 1 set security-association lifetime seconds 3600
crypto map CSM_Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 21 19 14
prf sha256
lifetime seconds 28800
crypto ikev2 enable Outside
tunnel-group 2xxxxx type ipsec-l2l
tunnel-group 2xxxxx general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group 2xxxx ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Site:2
crypto ikev2 policy policy2
match address local 2xxxxxxxxx
proposal Lxxxxxxxxxxx
crypto ikev2 keyring Lxxxxxxxxxxx
peer Lxxxxxxxxxxx
description To Lxxxxxxxxxx
address 2xxxxxxxxxxxx
pre-shared-key address xxxxxxxx key ********************@
crypto ikev2 proposal Lxxxxxx
encryption aes-cbc-256
integrity sha256
group 21 19 14
crypto ikev2 profile profile-v2
match address local 2xxxxxxxxxx
match identity remote address 2xxxxxxx 255.255.255.255
authentication remote pre-share key ********************
authentication local pre-share key ********************
lifetime 28800
Debug Information:
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (52): Setting configured policies
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (52): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21
IKEv2-PROTO-4: (52): Request queued for computation of DH key
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (52): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (52): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 6
(52): AES-CBC(52): SHA256(52): SHA256(52): DH_GROUP_521_ECP/Group 21(52): DH_GROUP_256_ECP/Group 19(52): DH_GROUP_2048_MODP/Group 14(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 0000000000000000 Message id: 0
(52): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: SA, version: 2.0 (52): Exchange type: IKE_SA_INIT, flags: INITIATOR (52): Message id: 0, length: 466(52):
Payload contents:
(52): SA(52): Next payload: KE, reserved: 0x0, length: 64
(52): last proposal: 0x0, reserved: 0x0, length: 60
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 6(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(52): KE(52): Next payload: N, reserved: 0x0, length: 140
(52): DH group: 21, Reserved: 0x0
(52):
(52): 00 68 77 0d 60 57 95 5f b2 bc b7 0e e7 4d 76 2a
(52): 4b 39 23 93 af 6f 53 52 ed d7 5e 81 35 c6 59 3a
(52): eb 0a c1 2d b9 45 83 a0 ca 1f d1 78 84 29 03 b5
(52): d5 d7 ab 34 66 28 75 07 f7 70 92 02 4c 68 8c 02
(52): 12 54 01 80 e6 f9 f1 58 6f f6 93 80 cc 0f a0 06
(52): 3b 18 db fc 70 48 0c 33 13 3b 97 5b 28 83 c3 2d
(52): b7 15 54 98 1e 90 ba 01 33 13 83 c1 9d 06 49 26
(52): cd 0a 62 10 5c 80 c5 d1 56 7e c4 ee 40 8a 0b ee
(52): be ba 24 f0
(52): N(52): Next payload: VID, reserved: 0x0, length: 68
(52):
(52): 06 7b ac d6 f7 54 48 3b 14 06 cd fb cd 3f 84 2a
(52): 9e 2b ac 8e 8c db 0a a0 82 26 7d 91 2b 3b 12 ac
(52): c9 1c 86 28 a5 4d 21 17 ca 31 02 9d f1 f9 cb fe
(52): 6e 73 52 a5 6e 62 a1 96 4c 21 d5 69 33 2e 62 6f
(52): VID(52): Next payload: VID, reserved: 0x0, length: 23
(52):
(52): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(52): 53 4f 4e
(52): VID(52): Next payload: NOTIFY, reserved: 0x0, length: 59
(52):
(52): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(52): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(52): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(52): 73 2c 20 49 6e 63 2e
(52): NOTIFY(NAT_DETECTION_SOURCE_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(52):
(52): da 62 7f 5d 42 9b fc 69 1a b8 63 d5 93 79 cb 91
(52): cb 6f 7d ae
(52): NOTIFY(NAT_DETECTION_DESTINATION_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(52):
(52): 93 e6 a8 44 bd ef 17 64 fa 89 df ec 7a 32 14 7d
(52): 13 98 8c 60
(52): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(52): Next payload: VID, reserved: 0x0, length: 8
(52): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(52): VID(52): Next payload: NONE, reserved: 0x0, length: 20
(52):
(52): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(52):
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (52): Insert SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 0
(52): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: SA, version: 2.0 (52): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (52): Message id: 0, length: 399(52):
Payload contents:
(52): SA(52): Next payload: KE, reserved: 0x0, length: 48
(52): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(52): KE(52): Next payload: N, reserved: 0x0, length: 140
(52): DH group: 21, Reserved: 0x0
(52):
(52): 00 11 d7 a0 23 bb 06 1d a0 fe 67 ae 30 e6 07 62
(52): e5 cd 11 ff 1e 7b 6c 43 57 95 cf c1 ee cb 3f 7b
(52): 62 c4 7b a7 6f 4a 77 bd 87 c7 b6 7b fe d0 ba ef
(52): 95 9a b5 49 fa b5 87 e0 67 fb ac 34 f9 0d 52 5a
(52): 63 49 00 d3 2b a1 70 08 ae 74 57 1a 47 38 fb 40
(52): 38 9f 55 0c 6b b5 26 97 0d e1 d6 d4 90 f8 7c 5e
(52): 41 ec 71 d5 1d 88 c0 dd ad d2 3f 80 e8 08 98 15
(52): c1 5c 0c aa 7c 17 d6 67 b4 5b c2 4e 48 5c 41 2a
(52): f9 0c a6 bb
(52): N(52): Next payload: VID, reserved: 0x0, length: 24
(52):
(52): 6b 0a 21 e2 be 7c a9 b8 16 c0 17 18 aa 0c c5 86
(52): 33 e4 67 ff
(52): VID(52): Next payload: VID, reserved: 0x0, length: 23
(52):
(52): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(52): 53 4f 4e
(52): VID(52): Next payload: VID, reserved: 0x0, length: 59
(52):
(52): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(52): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(52): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(52): 73 2c 20 49 6e 63 2e
(52): VID(52): Next payload: NOTIFY, reserved: 0x0, length: 21
(52):
(52): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(52): 44
(52): NOTIFY(NAT_DETECTION_SOURCE_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(52):
(52): 7c 77 69 e7 da 6b 0c 13 e5 f7 09 c8 41 a7 5b 7a
(52): 75 e8 21 7f
(52): NOTIFY(NAT_DETECTION_DESTINATION_IP)(52): Next payload: NONE, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(52):
(52): bb 30 33 e1 f7 cb 36 57 00 2f 33 99 b3 52 c0 c0
(52): 66 e6 9a 5d
(52):
(52): Decrypted packet:(52): Data: 399 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (52): Verify SA init message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (52): Process NAT discovery notify
IKEv2-PROTO-7: (52): Processing nat detect src notify
IKEv2-PROTO-7: (52): Remote address matched
IKEv2-PROTO-7: (52): Processing nat detect dst notify
IKEv2-PROTO-7: (52): Local address matched
IKEv2-PROTO-7: (52): No NAT found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (52): Checking NAT discovery
IKEv2-PROTO-4: (52): NAT not found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (52): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 21
IKEv2-PROTO-4: (52): Request queued for computation of DH secret
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (52): Generate skeyid
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (52): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (52): Completed SA init exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (52): Generate my authentication data
IKEv2-PROTO-4: (52): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (52): Get my authentication method
IKEv2-PROTO-4: (52): My authentication method is 'PSK'
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (52): Generating IKE_AUTH message
IKEv2-PROTO-4: (52): Constructing IDi payload: 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PROTO-4: (52): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(52): AES-CBC(52): SHA256(52): Don't use ESNIKEv2-PROTO-4: (52): Building packet for encryption.
(52):
Payload contents:
(52): VID(52): Next payload: IDi, reserved: 0x0, length: 20
(52):
(52): 0e ec d7 ae f3 63 e7 a1 47 83 64 83 5f d6 5a 46
(52): IDi(52): Next payload: AUTH, reserved: 0x0, length: 12
(52): Id type: IPv4 address, Reserved: 0x0 0x0
(52):
(52): cd 8a ab b6
(52): AUTH(52): Next payload: SA, reserved: 0x0, length: 40
(52): Auth method PSK, reserved: 0x0, reserved 0x0
(52): Auth data: 32 bytes
(52): SA(52): Next payload: TSi, reserved: 0x0, length: 44
(52): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(52): TSi(52): Next payload: TSr, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.5, end addr: 10.84.249.5
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.0, end addr: 10.84.249.255
(52): TSr(52): Next payload: NOTIFY, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.254, end addr: 192.168.200.254
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.0, end addr: 192.168.200.255
(52): NOTIFY(INITIAL_CONTACT)(52): Next payload: NOTIFY, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(52): NOTIFY(ESP_TFC_NO_SUPPORT)(52): Next payload: NOTIFY, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(52): NOTIFY(NON_FIRST_FRAGS)(52): Next payload: NONE, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 1
(52): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: IKE_AUTH, flags: INITIATOR (52): Message id: 1, length: 288(52):
Payload contents:
(52): ENCR(52): Next payload: VID, reserved: 0x0, length: 260
(52): Encrypted data: 256 bytes
(52):
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 1
(52): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (52): Message id: 1, length: 160(52):
Payload contents:
(52):
(52): Decrypted packet:(52): Data: 160 bytes
(52): REAL Decrypted packet:(52): Data: 80 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (52): Process auth response notify
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (52): Searching policy based on peer's identity 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PLAT-4: (52): Site to Site connection detected
IKEv2-PLAT-4: (52): P1 ID = 0
IKEv2-PLAT-4: (52): Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (52): Verify peer's policy
IKEv2-PROTO-4: (52): Peer's policy verified
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (52): Get peer's authentication method
IKEv2-PROTO-4: (52): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (52): Get peer's preshared key for xxxxxxxxxxx
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (52): Verify peer's authentication data
IKEv2-PROTO-4: (52): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-4: (52): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PLAT-4: (52): Completed authentication for connection
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (52): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (52): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
IKEv2-PROTO-4: (52): Session with IKE ID PAIR (xxxxxxxxxxx, xxxxxxxxxxx) is UP
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-4: (52): connection auth hdl set to 155
IKEv2-PLAT-4: (52): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-4: (52): idle timeout set to: 30
IKEv2-PLAT-4: (52): session timeout set to: 0
IKEv2-PLAT-4: (52): group policy set to .DefaultS2SGroupPolicy
IKEv2-PLAT-4: (52): class attr set
IKEv2-PLAT-4: (52): tunnel protocol set to: 0x44
IKEv2-PLAT-4: (52): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (52): group lock set to: none
IKEv2-PLAT-4: (52): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (52): connection attributes set valid to TRUE
IKEv2-PLAT-4: (52): Successfully retrieved conn attrs
IKEv2-PLAT-4: (52): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (52): connection auth hdl set to -1
IKEv2-PROTO-4: (52): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (52): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (52): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (52): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (52): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (52): Sending DELETE INFO message for IKEv2 SA [ISPI: 0x0CECD6AEE05414E6 RSPI: 0x593DA05596C4ACEA]
IKEv2-PROTO-4: (52): Building packet for encryption.
(52):
Payload contents:
(52): DELETE(52): Next payload: NONE, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (52): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (52): Checking if request will fit in peer window
(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 2
(52): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: INFORMATIONAL, flags: INITIATOR (52): Message id: 2, length: 80(52):
Payload contents:
(52): ENCR(52): Next payload: DELETE, reserved: 0x0, length: 52
(52): Encrypted data: 48 bytes
(52):
IKEv2-PLAT-5: (52): SENT PKT [INFORMATIONAL] [xxxxxxxxxxx]:500->[xxxxxxxxxxx]:500 InitSPI=0x0cecd6aee05414e6 RespSPI=0x593da05596c4acea MID=00000002
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (52): Check for existing active SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-4: (52): Delete all IKE SAs
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 2
(52): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (52): Message id: 2, length: 80(52):
Payload contents:
IKEv2-PLAT-4: (52): Decrypt success status returned via ipc 1
(52):
(52): Decrypted packet:(52): Data: 80 bytes
(52): REAL Decrypted packet:(52): Data: 8 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (52): Processing ACK to informational exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (52): Deleting SA
IKEv2-PLAT-4: (52): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-4: (52): session manager killed ikev2 tunnel. Reason: Internal Error
IKEv2-PLAT-4: (52): Deleted associated IKE flow: Outside, xxxxxxxxxxx:62465 <-> xxxxxxxxxxx:62465
IKEv2-PLAT-4: (52): PSH cleanup
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2024 04:13 AM
You are so welcome
Have a nice day
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2024 06:21 AM
Ok. This explains why the ASA didn't even try to create Child SAs (IPSec SAs).
- « Previous
-
- 1
- 2
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide