09-04-2019 10:04 AM - edited 02-21-2020 09:44 PM
Hi Guys,
I'm trying to bring the ipsec Tunnel between CISCO ASR1K and SRX.I could see the Phas1 &2 negotiated successfully.But CISCO ASA is sending DELETE payload after getting error "reate_ipsec_sa_by_qmv2 got error".
is anyone have any idea what is the meaning of this error?
*Sep 4 17:55:21.297 bst: [Session]: issue insert_peer
*Sep 4 17:55:21.297 bst: [Session]: request insert_peer succeeded
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Allocate Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: state = Sibling Initialization
*Sep 4 17:55:21.297 bst: IKEv2-INTERNAL:KMI message 8 consumed. No action taken.
*Sep 4 17:55:21.297 bst: IKEv2-INTERNAL:KMI message 12 consumed. No action taken.
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Create In/Outbound SAs
*Sep 4 17:55:21.297 bst: [Ident 80000002]: issue create_ipsec_sa_by_qmv2
*Sep 4 17:55:21.297 bst: [Ident 80000002]: request create_ipsec_sa_by_qmv2 got error
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Error: delete SAs
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Error, deleting the sibling
*Sep 4 17:55:21.297 bst: [Ident 80000002] -> [Sibling]: message Message - Cleanup Destroy Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: message = Message - Cleanup Destroy Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: state = Free flow stats
*Sep 4 17:55:21.297 bst: [Sibling]: state = Notify Ident
09-03-2021 06:39 AM
IPSec data plane support for the Suite-B transforms is only available on the following ASR1000 platforms: ASR1001-X, ASR1001-HX, ASR1002-X, ASR1002-HX, and ASR1006 or ASR1013 with an ESP-100 or ESP-200 module. If Suite-B transforms are configured on unsupported platforms, IPSec tunnel establishment will fail. This problem typically manifests itself with a symptom of tunnel getting established initially but immediately getting torn down, and this pattern repeats. For GETVPN the Group Member will continuously try to re-register with the Key Server if the policy consists of Suite-B algorithms. For more details please see: IOS and IOS-XE NGE Support Product Tech Note
09-05-2021 03:46 AM
ideally get some debug from the ASA and from the ASR.
Could be due to PFS value not defined on Phase 2 or the vaules mis-match. if PFS vaule are defined than try to change the vaule to lowers than work it out.
Also take the logs from both ASR and on the ASA.
for the ASR
ip access-listetd extended VPNCAP permit ip host x.x.x.x host y.y.y.y permit ip host y.y.y.y host x.x.x.x ! monitor capture mycap access-list VPNCAP monitor capture mycap limit duration 1000 monitor capture mycap interface GigabitEthernet 0/0/1 both (Internet Facing Interface) monitor capture mycap buffer circular size --- monitor capture mycap start monitor capture mycap stop monitor capture mycap export tftp://b.b.b.b/mycap.pcap
on the ASA code.
capture VPNCAP type iskamp interface outside match ip host x.x.x.x host y.y.y.y
debug crypto condition peer x.x.x.x
debug crypto ikev2 platfrom 127
debug crypto ikev2 protocol 127
debug crypto ipsec 127
!
logging buffer-size 248
logging monitor debugging
copy /pcap capture:<capture-name> tftp://<server-ip-address
could you please share the pcap file to have look what is happening.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: