Re: Ipsec phase 1 and 2 established but no data transmitted - Page 2

michal2 · ‎05-30-2024

Hello,

I would like to ask for your help to solve my issue with Ipsec tunnel.

According to debugs tunnel is established but no data are transmitted.

In encaps is visible that some packets were sent but in decaps no packets were received back or just some of them.

On edge router is only port forwarding to router behind with PAT enabled.

For some days this configuration was running but then some packets started to drop and eventualy no traffic is transmited.

Once helped me to solve problem when I shuted down whole tunnel interface and up again but not anymore.

Config of both routers is attached. Thank you in advance for any help.,

Ipsec topology

###################################################################################
R1
version 17.6
!
crypto ikev2 proposal WEBUI-PROPOSAL-Tunnel1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 14 15 16 5
!
crypto ikev2 policy WEBUI-POLICY
match fvrf any
proposal WEBUI-PROPOSAL-Tunnel1
!
crypto ikev2 keyring WEBUI-KEYS
peer WEBUI-PEER-x.x.x.x
description KEY-PEER-x.x.x.x
address x.x.x.74 255.255.255.0
pre-shared-key xxxxxx
!
!
!
crypto ikev2 profile WEBUI-IKEV2-PROFILE
match fvrf any
match address local 192.168.5.2
match identity remote address 192.168.216.0 255.255.255.0
match identity remote address 192.168.215.3 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local WEBUI-KEYS
dpd 20 5 periodic
!
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 10 5 periodic
!
!
!
!
class-map match-all RealTimeTraffic3_AVC_UI_CLASS
description RealTimeTraffic3_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
class-map match-all RealTimeTraffic2_AVC_UI_CLASS
description RealTimeTraffic2_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
class-map match-all RealTimeTraffic1_AVC_UI_CLASS
description RealTimeTraffic1_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
!
policy-map RealTimeTraffic
description audio,video,share
class RealTimeTraffic1_AVC_UI_CLASS
set dscp af41
police cir 5000000
conform-action transmit
exceed-action drop
class RealTimeTraffic2_AVC_UI_CLASS
set dscp cs2
police cir 5000000
conform-action transmit
exceed-action drop
class RealTimeTraffic3_AVC_UI_CLASS
set dscp ef
police cir 3000000
conform-action transmit
exceed-action drop
class class-default
set dscp default
!
zone security INSIDE
zone security OUTSIDE
!
crypto logging ikev2
!
!
!
!
!
!
crypto ipsec transform-set WEBUI-TS-Tunnel1 esp-aes 192 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
set transform-set WEBUI-TS-Tunnel1
set ikev2-profile WEBUI-IKEV2-PROFILE
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
bandwidth 4000
ip address 192.168.40.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.74
tunnel path-mtu-discovery
tunnel protection ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
!
interface GigabitEthernet0/0/0
description DMZ
ip address 192.168.5.2 255.255.255.0
ip nbar protocol-discovery
ip nat outside
negotiation auto
spanning-tree portfast disable
service-policy input RealTimeTraffic
service-policy output RealTimeTraffic
!
interface GigabitEthernet0/0/1
description LAN Network
ip address 192.168.15.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
description MANAGEMENT interface
vrf forwarding Mgmt-intf
ip address 192.168.10.50 255.255.255.0
negotiation auto
!
ip http server
ip http port 8085
ip http access-class ipv4 WAN-ACCESS-SERVICES
ip http authentication local
ip http secure-server
ip http secure-trustpoint TP-self-signed-2962201196
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source list LocalLAN-NAT-VPN interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.5.1
ip route 192.168.18.0 255.255.255.0 192.168.15.250 2
ip route 192.168.216.0 255.255.255.0 Tunnel1
ip ssh version 2
!
!
ip access-list standard WAN-ACCESS-SERVICES
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.15.0 0.0.0.255
!
ip access-list extended LocalLAN-NAT-VPN
10 deny ip 192.168.15.0 0.0.0.255 192.168.216.0 0.0.0.255 log
20 permit ip 192.168.15.0 0.0.0.255 any log
ip access-list extended WAN-ACCESS-IN
7 permit icmp 192.168.5.0 0.0.0.255 any
8 permit icmp 192.168.15.0 0.0.0.255 any
10 deny icmp any any
20 permit ip any any
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
login local
line vty 0 4
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
logging synchronous
login local
length 0
transport input ssh
line vty 5 15
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
logging synchronous
login local
length 0
transport input ssh
!
end

show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.5.2/4500 x.x.x.74/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/79058 sec
CE id: 14696, Session-id: 67
Status Description: Negotiation done
Local spi: 5198EE8178D75863 Remote spi: 110D528095AB31B3
Local id: 192.168.5.2
Remote id: 192.168.215.3
Local req msg id: 3978 Remote req msg id: 3968
Local next msg id: 3978 Remote next msg id: 3968
Local req queued: 3978 Remote req queued: 3968
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.5.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15413, #pkts encrypt: 15413, #pkts digest: 15413
#pkts decaps: 2504, #pkts decrypt: 2504, #pkts verify: 2504
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.5.2, remote crypto endpt.: x.x.x.74
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xE4B680B9(3837165753)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xB1A55732(2980402994)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2841, flow_id: ESG:841, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607995/2802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE4B680B9(3837165753)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2842, flow_id: ESG:842, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607984/2802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.40.2/30
MTU 9922 bytes, BW 4000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.5.2 (GigabitEthernet0/0/0), destination x.x.x.74
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0/0
Set of tunnels with source GigabitEthernet0/0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "WEBUI-IPSEC-PROFILE-Tunnel1")
Last input 1w5d, output 18:35:31, output hang never
Last clearing of "show interface" counters 1w2d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
572961 packets input, 207391130 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
798744 packets output, 197107604 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
###############################################################################################################

R4

version 17.3
!
crypto ikev2 proposal WEBUI-PROPOSAL-Tunnel1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 14 15 16 5
!
crypto ikev2 policy WEBUI-POLICY
match fvrf any
proposal WEBUI-PROPOSAL-Tunnel1
!
crypto ikev2 keyring WEBUI-KEYS
peer WEBUI-PEER-x.x.x.210
description KEY-PEER-x.x.x.210
address x.x.x.210 255.255.255.0
pre-shared-key xxxxxx
!
!
!
crypto ikev2 profile WEBUI-IKEV2-PROFILE
match fvrf any
match address local 192.168.215.3
match identity remote address 192.168.15.0 255.255.255.0
match identity remote address 192.168.5.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local WEBUI-KEYS
dpd 20 5 periodic
!
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 10 5 periodic
!
!
crypto ipsec transform-set WEBUI-TS-Tunnel1 esp-aes 192 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
set transform-set WEBUI-TS-Tunnel1
set ikev2-profile WEBUI-IKEV2-PROFILE
!
!
interface Tunnel1
bandwidth 4000
ip address 192.168.40.1 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.210
tunnel path-mtu-discovery
tunnel protection ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
!
interface GigabitEthernet0/0/0
description WAN
ip address 192.168.215.3 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN
ip address 192.168.216.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
description MANAGEMENT interface
vrf forwarding Mgmt-intf
ip address 192.168.10.51 255.255.255.0
negotiation auto
!
ip http server
ip http access-class ipv4 WAN-ACCESS-SERVICES
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source list LocalLAN-NAT-VPN interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.215.1
ip route 192.168.15.0 255.255.255.0 Tunnel1
ip ssh version 2
!
!
ip access-list standard LocalLAN_SSH
10 permit 192.168.25.0 0.0.0.255
ip access-list standard WAN-ACCESS-SERVICES
10 permit 192.168.216.0 0.0.0.255
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.15.0 0.0.0.255
!
ip access-list extended LocalLAN-NAT-VPN
10 deny ip 192.168.216.0 0.0.0.255 192.168.15.0 0.0.0.255 log
20 permit ip 192.168.216.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
10 permit ip 192.168.25.0 0.0.0.255 192.168.24.0 0.0.0.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
stopbits 1
line aux 0
login local
stopbits 1
line vty 0 4
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
login local
length 0
transport input ssh
line vty 5 15
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
login local
length 0
transport input ssh
!
!
end

show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.215.3/4500 x.x.x.210/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2696 sec
CE id: 14704, Session-id: 2180
Status Description: Negotiation done
Local spi: 90D0964441D56294 Remote spi: 0568FDBF46E0F0B5
Local id: 192.168.215.3
Remote id: 192.168.5.2
Local req msg id: 136 Remote req msg id: 134
Local next msg id: 136 Remote next msg id: 134
Local req queued: 136 Remote req queued: 134
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.215.3

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.210 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4526, #pkts encrypt: 4526, #pkts digest: 4526
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.215.3, remote crypto endpt.: x.x.x.210
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x6D34DAE(114511278)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x97579D60(2539101536)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7066, flow_id: ESG:5066, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/869)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6D34DAE(114511278)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7065, flow_id: ESG:5065, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607990/869)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show interfaces tunnel1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.40.1/30
MTU 9922 bytes, BW 4000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.215.3 (GigabitEthernet0/0/0), destination x.x.x.210
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0/0
Set of tunnels with source GigabitEthernet0/0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "WEBUI-IPSEC-PROFILE-Tunnel1")
Last input 2d04h, output 01:25:22, output hang never
Last clearing of "show interface" counters 2w0d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
17324464 packets input, 9178722647 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
10095527 packets output, 884707879 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

michal2 · ‎06-17-2024

There it is:

your specified command is not in my IOS so I used show crypto ipsec sa detail

R1
#show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.5.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.74 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2791, #pkts encrypt: 2791, #pkts digest: 2791
#pkts decaps: 991, #pkts decrypt: 991, #pkts verify: 991
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.5.2, remote crypto endpt.:x.x.x.74
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xA347EB48(2739399496)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x52A3AF39(1386458937)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3647, flow_id: ESG:1647, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime 7 hours, 22 mins
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA347EB48(2739399496)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3648, flow_id: ESG:1648, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime 7 hours, 22 mins
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel1
Profile: WEBUI-IKEV2-PROFILE
Uptime: 00:43:43
Session status: UP-ACTIVE
Peer: x.x.x.74 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.215.3
Desc: (none)
Session ID: 462
IKEv2 SA: local 192.168.5.2/4500 remote x.x.x.74/4500 Active
Capabilities:DNU connid:3 lifetime:23:16:17
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1172 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 16 mins
Outbound: #pkts enc'ed 3237 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 16 mins

R4
show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.215.3

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.210 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 982, #pkts encrypt: 982, #pkts digest: 982
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.215.3, remote crypto endpt.:x.x.x.210
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x52A3AF39(1386458937)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xA347EB48(2739399496)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7906, flow_id: ESG:5906, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime 7 hours, 23 mins
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x52A3AF39(1386458937)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7905, flow_id: ESG:5905, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime 7 hours, 23 mins
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel1
Profile: WEBUI-IKEV2-PROFILE
Uptime: 00:42:44
Session status: UP-ACTIVE
Peer: x.x.x.210 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.5.2
Desc: (none)
Session ID: 2659
IKEv2 SA: local 192.168.215.3/4500 remote x.x.x.210/4500 Active
Capabilities:DNU connid:1 lifetime:23:17:16
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 17 mins
Outbound: #pkts enc'ed 1145 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 17 mins

At the moment I can not even ping other side but nothing is dropped according to statistics

MHM Cisco World · ‎06-17-2024

R1

#pkts encaps: 2791, #pkts encrypt: 2791, #pkts digest: 2791
#pkts decaps: 991, #pkts decrypt: 991, #pkts verify: 991

inbound esp sas:
spi: 0x52A3AF39(1386458937)

outbound esp sas:
spi: 0xA347EB48(2739399496)

R4
#pkts encaps: 982, #pkts encrypt: 982, #pkts digest: 982
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <<- this count is zero meaning either the R1 encrypt traffic not pass to R4 or R4 drop packet before it decrypt, ping (at least repeat 100) from LAN behind R1 to LAN behind R4 and do show interface tunnel <> see if the input and output count is increase

outbound esp sas:
spi: 0x52A3AF39(1386458937)

inbound esp sas:
spi: 0xA347EB48(2739399496)

michal2 · ‎06-18-2024

Hi,

unfortunately no, only output counter is increasing but no input.

But I have noticed that now for some reason R4 is receiving IKE packet from peer x.x.xx210 on port 22977.

Could it be a problem and why it is now different from 4500?

R1

Jun 18 07:10:28.952: IKEv2:(SESSION ID = 466,SA ID = 1):Sending DPD/liveness query
Jun 18 07:10:28.952: IKEv2:(SESSION ID = 466,SA ID = 1):Building packet for encryption.
Jun 18 07:10:28.952: IKEv2:(SESSION ID = 466,SA ID = 1):Checking if request will fit in peer window

Jun 18 07:10:28.953: IKEv2:(SESSION ID = 466,SA ID = 1):Sending Packet [To x.x.x.74:4500/From 192.168.5.2:4500/VRF i0:f0]
Initiator SPI : 47DB7D5CE29BAC6D - Responder SPI : AA6B77726A19A09F Message id: 13
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Jun 18 07:10:28.971: IKEv2:(SESSION ID = 466,SA ID = 1):Received Packet [From x.x.x.74:4500/To 192.168.5.2:4500/VRF i0:f0]
Initiator SPI : 47DB7D5CE29BAC6D - Responder SPI : AA6B77726A19A09F Message id: 13
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.5.2/4500 x.x.x.74/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/324 sec
CE id: 14819, Session-id: 119
Status Description: Negotiation done
Local spi: AA6B77726A19A09F Remote spi: 47DB7D5CE29BAC6D
Local id: 192.168.5.2
Remote id: 192.168.215.3
Local req msg id: 16 Remote req msg id: 18
Local next msg id: 16 Remote next msg id: 18
Local req queued: 16 Remote req queued: 18
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

R4

Jun 18 07:10:28.980: IKEv2:(SESSION ID = 2659,SA ID = 1):Sending DPD/liveness query
Jun 18 07:10:28.980: IKEv2:(SESSION ID = 2659,SA ID = 1):Building packet for encryption.
Jun 18 07:10:28.980: IKEv2:(SESSION ID = 2659,SA ID = 1):Checking if request will fit in peer window

Jun 18 07:10:28.981: IKEv2:(SESSION ID = 2659,SA ID = 1):Sending Packet [To x.x.x.210:4500/From 192.168.215.3:4500/VRF i0:f0]
Initiator SPI : 47DB7D5CE29BAC6D - Responder SPI : AA6B77726A19A09F Message id: 15
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Jun 18 07:10:28.999: IKEv2:(SESSION ID = 2659,SA ID = 1):Received Packet [From x.x.x.210:22977/To 192.168.215.3:4500/VRF i0:f0]
Initiator SPI : 47DB7D5CE29BAC6D - Responder SPI : AA6B77726A19A09F Message id: 15
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.215.3/4500 x.x.x.210/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/310 sec
CE id: 14825, Session-id: 2249
Status Description: Negotiation done
Local spi: 47DB7D5CE29BAC6D Remote spi: AA6B77726A19A09F
Local id: 192.168.215.3
Remote id: 192.168.5.2
Local req msg id: 17 Remote req msg id: 15
Local next msg id: 17 Remote next msg id: 15
Local req queued: 17 Remote req queued: 15
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

michal2 · ‎06-18-2024

I typed commands:

clear crypto ikev2 sa

clear crypto sa

on both routers and for now it is able to transfer data even if the source port is different from 4500 (I think it does not have to be important thing is taht it is directing to port 4500 on peer side 192.168.215.3:4500 or 192.168.5.2:4500)

But i do not beleive it will be stable and after some time i will be forced to solve it with similar commands or differently again.

MHM Cisco World · ‎06-18-2024

You get it

The port number changes from 4500 to other is sure the issue here

You need always use same port 4500

Otherwise the R4 will not decrypted traffic

Why port change?

Because you run dynamic PAT not static PAT 1:1

For ipsec to run it need NAT private ip to public IP same port.

ccieexpert · ‎06-18-2024

there is no requirement for the port to be 4500 as such.. only the destination port has to be 4500.. though a static PAT is better.. as long as dest port is 4500 the initiator behind NAT (non 4500) port can initiate a ike/ipsec tunnel...Keep in mind that either side can initiate and depending on which side succeeds with a full negotation. you should check if the problem happens after a rekey or when.. maybe additional captures and show output may help..

michal2 · ‎06-18-2024

It is acting the same way.

After some time it is not able to pass traffic through the tunnel even if it is all active and up, spi from peers are matching, no errrors, no drops and spi lifetime did not expired.

Only clearing ikev2 SA helps to establish new tunnel to pass data but for some time only.

MHM Cisco World · ‎06-19-2024

can I see how you config the PAT in R2 and R3?

MHM

michal2 · ‎06-19-2024

Current setup of NATP(PAT) on
on both routers is some(necessary) port forwarding

R2 (not Cisco manufacturer):

source port range is customed from 2049 to 65000
with IPses ALG enabled

R3 (not Cisco manufacturer):
hardaware NATP enabled
not modified port range

MHM Cisco World · ‎06-19-2024

sorry that not work, even if it NO cisco sure it support static PAT
IPSec with dynamic PAT will not work

Sorry for this bad news

MHM

michal2 · ‎06-19-2024

Thats bad but I don not understand why when NAT table should record (I dont know for how long) all IP address and ports maping for outgoing and incoming back packets.

And in ACL for PAT I specified to not perform translating for packetg going to VPN networks in my case network 192.168.15.0/24 and onter peer 192.168.216.0/24.

MHM Cisco World · ‎06-19-2024

Friend without static PAT the router assign different port and you will see always drop on ipsec.

There are no other solution.

Sorry

Goodluck

MHM

ccieexpert · ‎06-19-2024

If the IKE sessions comes and if it works and ipsec is going back and forth and stops working intermittenltly, something else is going.. there is nothing wrong with with PAT.. many use PAT for outgoing.. Imagine your home router sitting behind a ISP cable mode/router and its doing PAT... you should focus on running debugs and also taking packet capture (with circular buffer 10-20 Mb) and stop the capture when the problem happens... you can have a EEM script that will gather "show crypto ikev2 sa detail" "show cyrpto ipsec sa detail" every 1 minute or so... and run the debugs : https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html that may give us further hints on what is happening.. Debugs also can be run on a large logging buffer 10MB..."check available memory" but generally all the new platforms have plenty of memory.

ccieexpert · ‎06-19-2024

Please read this:

https://datatracker.ietf.org/doc/html/rfc5996#section-2.23

It is a common practice of NATs to translate TCP and UDP port numbers
   as well as addresses and use the port numbers of inbound packets to
   decide which internal node should get a given packet.  For this
   reason, even though IKE packets MUST be sent to and from UDP port 500
   or 4500, they MUST be accepted coming from any port and responses
   MUST be sent to the port from whence they came.

 This is because the
   ports may be modified as the packets pass through NATs

So as long as the IKEv2/IPSEC sa are established and it is passing traffic, it is good, something is happening later where either the intermediate device is removing the translation or something else... we need to troubleshoot this..