03-07-2023 07:38 AM
Hi,
***********This is technically a branching post from another thread but that thread originally had a different subject and morphed a few times as things were being explained to me by the Pros.*********
I'm trying to connect an anyconnect client with ipsec.
The connection fails and says it could not find a matching policy.
I believe I have matching policies though.
Attached is a Word doc that shows ASA debug with the failure.
I'm trying to use cisco anyconnect 4.10., we are coming from 4.6 with a profile on devices that asks for ipsec and connects without issue. If we move that profile to the 4.10 device or use profile editor to make a new profile, the 4.10 device fails on ikev2.
Here are profile and proposal images from asdm.
Any assistance is greatly appreciated!
Solved! Go to Solution.
04-19-2023 07:45 AM
@MHM Cisco Worldmy issue is now resolved. I needed to disable Anyconnect Essentials as explained in another forum:
03-07-2023 07:43 AM
I need to see the config in both side
please share the config cli
03-07-2023 07:48 AM
@MHM Cisco WorldThanks for your response. That would need to be a last resort. I'd have to go through a chain of people to get it approved but I can show results of "show" commands with some minor editing if you would like to see certain things.
03-07-2023 07:53 AM
sure
show crypto ipsec sa
show crypto ikev2
for both side is enough
03-07-2023 08:45 AM
@MHM Cisco WorldHere you go.
FW1-EXT/pri/act# show crypto ipsec sa
interface: Outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65000, local addr: A.B.0.114
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (A.B.242.46/255.255.255.255/0/0)
current_peer: 10.255.251.23, username: edwin.mckinney.sa
dynamic allocated peer ip: A.B.242.46
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16385, #pkts encrypt: 16385, #pkts digest: 16385
#pkts decaps: 13964, #pkts decrypt: 13964, #pkts verify: 13964
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16385, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 2
local crypto endpt.: A.B.0.114/4500, remote crypto endpt.: 10.255.251.23/49668
path mtu 1472, ipsec overhead 66(52), override mtu 1406, media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 78DCFB41
current inbound spi : 001F4E1A
inbound esp sas:
spi: 0x001F4E1A (2051610)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 72460, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26018
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x78DCFB41 (2027748161)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 72460, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26018
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
FW1-EXT/pri/act# show crypto ik
FW1-EXT/pri/act# show crypto ikev2
ERROR: % Incomplete command
FW1-EXT/pri/act# show crypto ikev2 ?
sa Show IKEv2 sas
stats Show IKEv2 statistics
FW1-EXT/pri/act# show crypto ikev2 sa
IKEv2 SAs:
Session-id:12810, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1492230597 A.B.0.114/4500 10.255.251.23/49668 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/2811 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector A.B.242.46/0 - A.B.242.46/65535
ESP spi in/out: 0x1f4e1a/0x78dcfb41
FW1-EXT/pri/act# show crypto ikev2 stat
FW1-EXT/pri/act# show crypto ikev2 stats
Global IKEv2 Statistics
Active Tunnels: 1
Previous Tunnels: 13399
In Octets: 615285087
In Packets: 5957204
In Drop Packets: 0
In Drop Fragments: 140
In Notifys: 168146
In P2 Exchange: 5712273
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 20
In IPSEC Delete: 0
In IKE Delete: 2561
Out Octets: 725894100
Out Packets: 5940920
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 99036
Out P2 Exchange: 5848400
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 3341
Out IPSEC Delete: 3341
Out IKE Delete: 733
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 15801
SAs Remotely Initiated Failed: 19335
System Capacity Failures: 0
Authentication Failures: 2989
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 21338
In Configs: 47847
Out Configs: 12790
In Configs Rejects: 0
Out Configs Rejects: 56
Previous Tunnels: 13399
Previous Tunnels Wraps: 0
In DPD Messages: 5698395
Out DPD Messages: 5705438
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 592
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 6685
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 20000
Cookie Challenge Threshold: 10000
Active SAs: 1
In-Negotiation SAs: 0
In-Negotiation SAs High water mark: 16
Incoming Requests: 32147
Incoming Requests Accepted: 32147
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
FW1-EXT/pri/act#
03-15-2023 08:26 AM
04-19-2023 07:45 AM
@MHM Cisco Worldmy issue is now resolved. I needed to disable Anyconnect Essentials as explained in another forum:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide