cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1248
Views
1
Helpful
6
Replies

Ikv2 VPN Failing

KGrev
Level 4
Level 4

Hi,

***********This is technically a branching post from another thread but that thread originally had a different subject and morphed a few times as things were being explained to me by the Pros.*********

I'm trying to connect an anyconnect client with ipsec.

The connection fails and says it could not find a matching policy.

I believe I have matching policies though.

Attached is a Word doc that shows ASA debug with the failure.

I'm trying to use cisco anyconnect 4.10., we are coming from 4.6 with a profile on devices that asks for ipsec and connects without issue. If we move that profile to the 4.10 device or use profile editor to make a new profile, the 4.10 device fails on ikev2.

Here are profile and proposal images from asdm.

20230307_093211.jpg20230307_093133.jpg

 

Any assistance is greatly appreciated!

1 Accepted Solution

Accepted Solutions

6 Replies 6

I need to see the config in both side
please share the config cli 

@MHM Cisco WorldThanks for your response. That would need to be a last resort. I'd have to go through a chain of people to get it approved but I can show results of "show" commands with some minor editing if you would like to see certain things.

sure 
show crypto ipsec sa

show crypto ikev2 
for both side is enough 

@MHM Cisco WorldHere you go.

 

FW1-EXT/pri/act# show crypto ipsec sa
interface: Outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65000, local addr: A.B.0.114

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (A.B.242.46/255.255.255.255/0/0)
current_peer: 10.255.251.23, username: edwin.mckinney.sa
dynamic allocated peer ip: A.B.242.46
dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 16385, #pkts encrypt: 16385, #pkts digest: 16385
#pkts decaps: 13964, #pkts decrypt: 13964, #pkts verify: 13964
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16385, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 2

local crypto endpt.: A.B.0.114/4500, remote crypto endpt.: 10.255.251.23/49668
path mtu 1472, ipsec overhead 66(52), override mtu 1406, media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 78DCFB41
current inbound spi : 001F4E1A

inbound esp sas:
spi: 0x001F4E1A (2051610)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 72460, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26018
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x78DCFB41 (2027748161)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 72460, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26018
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

FW1-EXT/pri/act# show crypto ik
FW1-EXT/pri/act# show crypto ikev2
ERROR: % Incomplete command
FW1-EXT/pri/act# show crypto ikev2 ?

sa Show IKEv2 sas
stats Show IKEv2 statistics
FW1-EXT/pri/act# show crypto ikev2 sa

IKEv2 SAs:

Session-id:12810, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1492230597 A.B.0.114/4500 10.255.251.23/49668 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/2811 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector A.B.242.46/0 - A.B.242.46/65535
ESP spi in/out: 0x1f4e1a/0x78dcfb41
FW1-EXT/pri/act# show crypto ikev2 stat
FW1-EXT/pri/act# show crypto ikev2 stats

Global IKEv2 Statistics
Active Tunnels: 1
Previous Tunnels: 13399
In Octets: 615285087
In Packets: 5957204
In Drop Packets: 0
In Drop Fragments: 140
In Notifys: 168146
In P2 Exchange: 5712273
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 20
In IPSEC Delete: 0
In IKE Delete: 2561
Out Octets: 725894100
Out Packets: 5940920
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 99036
Out P2 Exchange: 5848400
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 3341
Out IPSEC Delete: 3341
Out IKE Delete: 733
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 15801
SAs Remotely Initiated Failed: 19335
System Capacity Failures: 0
Authentication Failures: 2989
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 21338
In Configs: 47847
Out Configs: 12790
In Configs Rejects: 0
Out Configs Rejects: 56
Previous Tunnels: 13399
Previous Tunnels Wraps: 0
In DPD Messages: 5698395
Out DPD Messages: 5705438
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 592
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 6685
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 20000
Cookie Challenge Threshold: 10000
Active SAs: 1
In-Negotiation SAs: 0
In-Negotiation SAs High water mark: 16
Incoming Requests: 32147
Incoming Requests Accepted: 32147
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
FW1-EXT/pri/act#

KGrev
Level 4
Level 4

@MHM Cisco WorldI got the config file ready. Took out the non important material. (Attached)

 

 

@MHM Cisco Worldmy issue is now resolved. I needed to disable Anyconnect Essentials as explained in another forum:

https://community.cisco.com/t5/vpn/how-does-the-anyconnect-client-decide-its-proposals/m-p/4812203#M288678