IPSec P2P tunnel between CISCO ASR1000 to SRX1500 not coming up

murali.n · ‎09-04-2019

Hi Guys,

I'm trying to bring the ipsec Tunnel between CISCO ASR1K and SRX.I could see the Phas1 &2 negotiated successfully.But CISCO ASA is sending DELETE payload after getting error "reate_ipsec_sa_by_qmv2 got error".

is anyone have any idea what is the meaning of this error?

*Sep 4 17:55:21.297 bst: [Session]: issue insert_peer
*Sep 4 17:55:21.297 bst: [Session]: request insert_peer succeeded
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Allocate Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: state = Sibling Initialization
*Sep 4 17:55:21.297 bst: IKEv2-INTERNAL:KMI message 8 consumed. No action taken.
*Sep 4 17:55:21.297 bst: IKEv2-INTERNAL:KMI message 12 consumed. No action taken.
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Create In/Outbound SAs
*Sep 4 17:55:21.297 bst: [Ident 80000002]: issue create_ipsec_sa_by_qmv2
*Sep 4 17:55:21.297 bst: [Ident 80000002]: request create_ipsec_sa_by_qmv2 got error
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Error: delete SAs
*Sep 4 17:55:21.297 bst: [Ident 80000002]: state = Error, deleting the sibling
*Sep 4 17:55:21.297 bst: [Ident 80000002] -> [Sibling]: message Message - Cleanup Destroy Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: message = Message - Cleanup Destroy Sibling
*Sep 4 17:55:21.297 bst: [Sibling]: state = Free flow stats
*Sep 4 17:55:21.297 bst: [Sibling]: state = Notify Ident

Whoops · ‎09-03-2021

IPSec data plane support for the Suite-B transforms is only available on the following ASR1000 platforms: ASR1001-X, ASR1001-HX, ASR1002-X, ASR1002-HX, and ASR1006 or ASR1013 with an ESP-100 or ESP-200 module. If Suite-B transforms are configured on unsupported platforms, IPSec tunnel establishment will fail. This problem typically manifests itself with a symptom of tunnel getting established initially but immediately getting torn down, and this pattern repeats. For GETVPN the Group Member will continuously try to re-register with the Key Server if the policy consists of Suite-B algorithms.

For more details please see: IOS and IOS-XE NGE Support Product Tech Note

Check your ipsec configuration (transform-set) for sha2. Some ASR support only sha1.

Sheraz.Salim · ‎09-05-2021

ideally get some debug from the ASA and from the ASR.

Could be due to PFS value not defined on Phase 2 or the vaules mis-match. if PFS vaule are defined than try to change the vaule to lowers than work it out.

Also take the logs from both ASR and on the ASA.

for the ASR

ip access-listetd extended VPNCAP
permit ip host x.x.x.x  host y.y.y.y
permit ip host y.y.y.y host x.x.x.x
!
monitor capture mycap access-list VPNCAP 	 
monitor capture mycap limit duration 1000
monitor capture mycap interface GigabitEthernet 0/0/1 both (Internet Facing Interface)
monitor capture mycap buffer circular size ---
monitor capture mycap start
monitor capture mycap stop
monitor capture mycap export tftp://b.b.b.b/mycap.pcap

on the ASA code.

capture VPNCAP type iskamp interface outside match ip host x.x.x.x host y.y.y.y

debug crypto condition peer x.x.x.x
debug crypto ikev2 platfrom 127
debug crypto ikev2 protocol 127
debug crypto ipsec 127
!
logging buffer-size 248
logging monitor debugging

copy /pcap capture:<capture-name> tftp://<server-ip-address

could you please share the pcap file to have look what is happening.

please do not forget to rate.