- Cisco Community
- Technology and Support
- Security
- VPN
- Re: ISR4431 and Dig WR21 router using IKEV2 anomalies
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 06:46 AM - edited 10-24-2020 11:30 PM
Hello All:
I am using Digi Transport WR21s in the field connected to some instrumentation and a Cisco ISR4431 in the control center in a hub and spoke arrangement in India. Currently we're running purely off GPRS as we await the ADSL to be installed. We will then use ADSL primary and GPRS as backup.
I am using ikev2 with asymmetric pre-shared-keys, a common key for the 4431 and a different psk for each remote site. My two problems (which may be related) are:
1. The Digi is rekeying every 10 seconds from its event log,
2. About 10% of the time, the initiator (the Digi) cannot connect to the Cisco properly. The Cisco shows that the SAs came up but the Digi shows no SAs. The Digi keeps asking for a connection and the number of SAs for the particular site begin to pile up until they start to time out in the Cisco but the Digi shows no SAs.
Ok, problem 1:
This is what the Digi event log looks like:
18:53:46, 15 Oct 2020,(10) IKEv2 Negotiation completed pe,Responder
18:53:46, 15 Oct 2020,(10) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
18:53:40, 15 Oct 2020,(11) IKEv2 Negotiation completed pe,Responder
18:53:40, 15 Oct 2020,(11) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
18:53:36, 15 Oct 2020,(10) IKEv2 Negotiation completed pe,Responder
18:53:36, 15 Oct 2020,(10) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
18:53:30, 15 Oct 2020,(11) IKEv2 Negotiation completed pe,Responder
18:53:30, 15 Oct 2020,(11) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
18:53:25, 15 Oct 2020,(10) IKEv2 Negotiation completed pe,Responder
18:53:25, 15 Oct 2020,(10) New IKEv2 Negotiation peer 103.205.244.106,Responder (Info)
The Digi is set to reauthenticate every 4 hours and rekey every 2. In the Cisco I have disabled rekeying on traffic volume and and enabled rekeying every 14400 seconds:
crypto ikev2 profile SOIprofile
Many-many match statements.... match identity remote key-id CORS90
identity local key-id CCrouter
authentication remote pre-share
authentication local pre-share key abcdefg
keyring local SOIkeyring
lifetime 14400
dpd 10 2 periodic
crypto ikev2 dpd 30 5 periodic
crypto ikev2 fragmentation
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association lifetime seconds 14400
crypto dynamic-map mainmap 100
description Dynamic map for the CORS sites using ikev2
set security-association lifetime kilobytes disable
set security-association lifetime seconds 14400
set transform-set mainset
set pfs group14
set ikev2-profile SOIprofile
The debug only shows the DPD traffic (I think) as below:
Cryptographic Subsystem:
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
(the IPs are all telco gateways for their GPRS system so not to worry).
Oct 15 13:16:47.064: IKEv2:(SESSION ID = 24321,SA ID = 13):Processing ACK to informational exchange
Oct 15 13:16:48.367: IKEv2:(SESSION ID = 24313,SA ID = 21):Sending DPD/liveness query
Oct 15 13:16:48.367: IKEv2:(SESSION ID = 24313,SA ID = 21):Building packet for encryption.
Oct 15 13:16:48.368: IKEv2:(SESSION ID = 24313,SA ID = 21):Checking if request will fit in peer window
Oct 15 13:16:48.368: IKEv2:(SESSION ID = 24313,SA ID = 21):Sending Packet [To 171.76.154.248:13344/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 000000BDFFFFFF42 - Responder SPI : CEECEF4F421736C5 Message id: 263
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:48.369: IKEv2:(SESSION ID = 24184,SA ID = 24):Sending DPD/liveness query
Oct 15 13:16:48.369: IKEv2:(SESSION ID = 24184,SA ID = 24):Building packet for encryption.
Oct 15 13:16:48.370: IKEv2:(SESSION ID = 24184,SA ID = 24):Checking if request will fit in peer window
Oct 15 13:16:48.370: IKEv2:(SESSION ID = 24184,SA ID = 24):Sending Packet [To 171.76.180.57:6891/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000021FFFFFFDE - Responder SPI : 06263B378551C919 Message id: 124
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:48.808: IKEv2:(SESSION ID = 24313,SA ID = 21):Received Packet [From 171.76.154.248:13344/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 000000BDFFFFFF42 - Responder SPI : CEECEF4F421736C5 Message id: 263
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:48.808: IKEv2:(SESSION ID = 24313,SA ID = 21):Processing ACK to informational exchange
Oct 15 13:16:48.812: IKEv2:(SESSION ID = 24302,SA ID = 23):Sending DPD/liveness query
Oct 15 13:16:48.812: IKEv2:(SESSION ID = 24302,SA ID = 23):Building packet for encryption.
Oct 15 13:16:48.813: IKEv2:(SESSION ID = 24302,SA ID = 23):Checking if request will fit in peer window
Oct 15 13:16:48.813: IKEv2:(SESSION ID = 24302,SA ID = 23):Sending Packet [To 106.215.170.82:22350/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003BFFFFFFC4 - Responder SPI : 5593EE3397C5CA7D Message id: 628
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:48.814: IKEv2:(SESSION ID = 24184,SA ID = 24):Received Packet [From 171.76.180.57:6891/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000021FFFFFFDE - Responder SPI : 06263B378551C919 Message id: 124
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:48.814: IKEv2:(SESSION ID = 24184,SA ID = 24):Processing ACK to informational exchange
Oct 15 13:16:49.216: IKEv2:(SESSION ID = 24302,SA ID = 23):Received Packet [From 106.215.170.82:22350/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003BFFFFFFC4 - Responder SPI : 5593EE3397C5CA7D Message id: 628
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:49.216: IKEv2:(SESSION ID = 24302,SA ID = 23):Processing ACK to informational exchange
Oct 15 13:16:49.782: IKEv2:(SESSION ID = 24316,SA ID = 12):Sending DPD/liveness query
Oct 15 13:16:49.782: IKEv2:(SESSION ID = 24316,SA ID = 12):Building packet for encryption.
Oct 15 13:16:49.783: IKEv2:(SESSION ID = 24316,SA ID = 12):Checking if request will fit in peer window
Oct 15 13:16:49.783: IKEv2:(SESSION ID = 24316,SA ID = 12):Sending Packet [To 106.215.187.163:25338/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000035FFFFFFCA - Responder SPI : 55CD460DC3D2C954 Message id: 54
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:50.164: IKEv2:(SESSION ID = 24316,SA ID = 12):Received Packet [From 106.215.187.163:25338/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000035FFFFFFCA - Responder SPI : 55CD460DC3D2C954 Message id: 54
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:50.164: IKEv2:(SESSION ID = 24316,SA ID = 12):Processing ACK to informational exchange
Oct 15 13:16:50.166: IKEv2:(SESSION ID = 24301,SA ID = 15):Sending DPD/liveness query
Oct 15 13:16:50.166: IKEv2:(SESSION ID = 24301,SA ID = 15):Building packet for encryption.
Oct 15 13:16:50.167: IKEv2:(SESSION ID = 24301,SA ID = 15):Checking if request will fit in peer window
Oct 15 13:16:50.167: IKEv2:(SESSION ID = 24301,SA ID = 15):Sending Packet [To 171.76.186.206:1024/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000372FFFFFC8D - Responder SPI : 5294B86235ECBD21 Message id: 629
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:50.168: IKEv2:(SESSION ID = 24325,SA ID = 17):Sending DPD/liveness query
Oct 15 13:16:50.168: IKEv2:(SESSION ID = 24325,SA ID = 17):Building packet for encryption.
Oct 15 13:16:50.169: IKEv2:(SESSION ID = 24325,SA ID = 17):Checking if request will fit in peer window
Oct 15 13:16:50.169: IKEv2:(SESSION ID = 24325,SA ID = 17):Sending Packet [To 27.63.38.107:8195/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000005FFFFFFFA - Responder SPI : 7E0280A180C74DBB Message id: 149
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:50.169: IKEv2:(SESSION ID = 24320,SA ID = 7):Sending DPD/liveness query
Oct 15 13:16:50.169: IKEv2:(SESSION ID = 24320,SA ID = 7):Building packet for encryption.
Oct 15 13:16:50.170: IKEv2:(SESSION ID = 24320,SA ID = 7):Checking if request will fit in peer window
Oct 15 13:16:50.170: IKEv2:(SESSION ID = 24320,SA ID = 7):Sending Packet [To 106.215.223.19:16290/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000007BFFFFFF84 - Responder SPI : 8DA65B0E8BC08361 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:50.171: IKEv2:(SESSION ID = 24253,SA ID = 22):Sending DPD/liveness query
Oct 15 13:16:50.171: IKEv2:(SESSION ID = 24253,SA ID = 22):Building packet for encryption.
Oct 15 13:16:50.172: IKEv2:(SESSION ID = 24253,SA ID = 22):Checking if request will fit in peer window
Oct 15 13:16:50.172: IKEv2:(SESSION ID = 24253,SA ID = 22):Sending Packet [To 171.76.167.183:7113/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000387FFFFFC78 - Responder SPI : C03B30A3EE16B75E Message id: 166
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:50.589: IKEv2:(SESSION ID = 24301,SA ID = 15):Received Packet [From 171.76.186.206:1024/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000372FFFFFC8D - Responder SPI : 5294B86235ECBD21 Message id: 629
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:50.589: IKEv2:(SESSION ID = 24301,SA ID = 15):Processing ACK to informational exchange
Oct 15 13:16:50.591: IKEv2:(SESSION ID = 24325,SA ID = 17):Received Packet [From 27.63.38.107:8195/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000005FFFFFFFA - Responder SPI : 7E0280A180C74DBB Message id: 149
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:50.592: IKEv2:(SESSION ID = 24325,SA ID = 17):Processing ACK to informational exchange
Oct 15 13:16:50.592: IKEv2:(SESSION ID = 24320,SA ID = 7):Received Packet [From 106.215.223.19:16290/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000007BFFFFFF84 - Responder SPI : 8DA65B0E8BC08361 Message id: 0
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:50.592: IKEv2:(SESSION ID = 24320,SA ID = 7):Processing ACK to informational exchange
Oct 15 13:16:50.592: IKEv2:(SESSION ID = 24253,SA ID = 22):Received Packet [From 171.76.167.183:7113/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000387FFFFFC78 - Responder SPI : C03B30A3EE16B75E Message id: 166
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:50.593: IKEv2:(SESSION ID = 24253,SA ID = 22):Processing ACK to informational exchange
Oct 15 13:16:51.287: IKEv2:(SESSION ID = 24322,SA ID = 14):Sending DPD/liveness query
Oct 15 13:16:51.287: IKEv2:(SESSION ID = 24322,SA ID = 14):Building packet for encryption.
Oct 15 13:16:51.288: IKEv2:(SESSION ID = 24322,SA ID = 14):Checking if request will fit in peer window
Oct 15 13:16:51.288: IKEv2:(SESSION ID = 24322,SA ID = 14):Sending Packet [To 171.76.186.206:1024/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000374FFFFFC8B - Responder SPI : 89BDAB774FD37386 Message id: 1
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:51.745: IKEv2:(SESSION ID = 24322,SA ID = 14):Received Packet [From 171.76.186.206:1024/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000374FFFFFC8B - Responder SPI : 89BDAB774FD37386 Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:51.746: IKEv2:(SESSION ID = 24322,SA ID = 14):Processing ACK to informational exchange
Oct 15 13:16:51.748: IKEv2:(SESSION ID = 24315,SA ID = 16):Sending DPD/liveness query
Oct 15 13:16:51.748: IKEv2:(SESSION ID = 24315,SA ID = 16):Building packet for encryption.
Oct 15 13:16:51.749: IKEv2:(SESSION ID = 24315,SA ID = 16):Checking if request will fit in peer window
Oct 15 13:16:51.749: IKEv2:(SESSION ID = 24315,SA ID = 16):Sending Packet [To 171.76.147.53:11329/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 000000A7FFFFFF58 - Responder SPI : 222DBC935D51C20F Message id: 216
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:51.750: IKEv2:(SESSION ID = 24303,SA ID = 8):Sending DPD/liveness query
Oct 15 13:16:51.750: IKEv2:(SESSION ID = 24303,SA ID = 8):Building packet for encryption.
Oct 15 13:16:51.750: IKEv2:(SESSION ID = 24303,SA ID = 8):Checking if request will fit in peer window
Oct 15 13:16:51.751: IKEv2:(SESSION ID = 24303,SA ID = 8):Sending Packet [To 106.215.246.156:18492/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003DFFFFFFC2 - Responder SPI : 3FB54C8B3B7F6ADB Message id: 286
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:52.160: IKEv2:(SESSION ID = 24323,SA ID = 6):Sending DPD/liveness query
Oct 15 13:16:52.161: IKEv2:(SESSION ID = 24323,SA ID = 6):Building packet for encryption.
Oct 15 13:16:52.161: IKEv2:(SESSION ID = 24323,SA ID = 6):Checking if request will fit in peer window
Oct 15 13:16:52.162: IKEv2:(SESSION ID = 24323,SA ID = 6):Sending Packet [To 106.215.170.82:22350/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003DFFFFFFC2 - Responder SPI : FCCDA04D7DDEF86B Message id: 1
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:52.165: IKEv2:(SESSION ID = 24303,SA ID = 8):Received Packet [From 106.215.246.156:18492/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003DFFFFFFC2 - Responder SPI : 3FB54C8B3B7F6ADB Message id: 286
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:52.166: IKEv2:(SESSION ID = 24303,SA ID = 8):Processing ACK to informational exchange
Oct 15 13:16:52.166: IKEv2:(SESSION ID = 24315,SA ID = 16):Received Packet [From 171.76.147.53:11329/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 000000A7FFFFFF58 - Responder SPI : 222DBC935D51C20F Message id: 216
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:52.167: IKEv2:(SESSION ID = 24315,SA ID = 16):Processing ACK to informational exchange
Oct 15 13:16:52.426: IKEv2:(SESSION ID = 23917,SA ID = 11):Sending DPD/liveness query
Oct 15 13:16:52.427: IKEv2:(SESSION ID = 23917,SA ID = 11):Building packet for encryption.
Oct 15 13:16:52.427: IKEv2:(SESSION ID = 23917,SA ID = 11):Checking if request will fit in peer window
Oct 15 13:16:52.428: IKEv2:(SESSION ID = 23917,SA ID = 11):Sending Packet [To 106.215.249.132:19948/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000033CFFFFFCC3 - Responder SPI : 35ADDB57B3DFCDBA Message id: 171
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:52.430: IKEv2:(SESSION ID = 24323,SA ID = 6):Received Packet [From 106.215.170.82:22350/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000003DFFFFFFC2 - Responder SPI : FCCDA04D7DDEF86B Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:52.430: IKEv2:(SESSION ID = 24323,SA ID = 6):Processing ACK to informational exchange
Oct 15 13:16:52.793: IKEv2:(SESSION ID = 23917,SA ID = 11):Received Packet [From 106.215.249.132:19948/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000033CFFFFFCC3 - Responder SPI : 35ADDB57B3DFCDBA Message id: 171
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:52.793: IKEv2:(SESSION ID = 23917,SA ID = 11):Processing ACK to informational exchange
Oct 15 13:16:52.893: IKEv2:(SESSION ID = 24309,SA ID = 5):Sending DPD/liveness query
Oct 15 13:16:52.894: IKEv2:(SESSION ID = 24309,SA ID = 5):Building packet for encryption. t
Oct 15 13:16:52.894: IKEv2:(SESSION ID = 24309,SA ID = 5):Checking if request will fit in peer window
Oct 15 13:16:52.895: IKEv2:(SESSION ID = 24309,SA ID = 5):Sending Packet [To 27.63.38.107:8195/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000004FFFFFFFB - Responder SPI : DA80BB7E6EF74D64 Message id: 435
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:53.209: IKEv2:(SESSION ID = 24309,SA ID = 5):Received Packet [From 27.63.38.107:8195/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000004FFFFFFFB - Responder SPI : DA80BB7E6EF74D64 Message id: 435
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:53.209: IKEv2:(SESSION ID = 24309,SA ID = 5):Processing ACK to informational exchange
Oct 15 13:16:53.775: IKEv2:(SESSION ID = 24318,SA ID = 3):Sending DPD/liveness query
Oct 15 13:16:53.775: IKEv2:(SESSION ID = 24318,SA ID = 3):Building packet for encryption.
Oct 15 13:16:53.776: IKEv2:(SESSION ID = 24318,SA ID = 3):Checking if request will fit in peer window
Oct 15 13:16:53.776: IKEv2:(SESSION ID = 24318,SA ID = 3):Sending Packet [To 27.63.34.197:12504/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000000AFFFFFFF5 - Responder SPI : AD13D8DD643FC1C0 Message id: 594
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
erm no
Oct 15 13:16:53.817: IKEv2:(SESSION ID = 24318,SA ID = 3):Received Packet [From 27.63.34.197:12504/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000000AFFFFFFF5 - Responder SPI : AD13D8DD643FC1C0 Message id: 594
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:53.818: IKEv2:(SESSION ID = 24318,SA ID = 3):Processing ACK to informational exchange
Oct 15 13:16:54.257: IKEv2:(SESSION ID = 24314,SA ID = 20):Sending DPD/liveness query
Oct 15 13:16:54.257: IKEv2:(SESSION ID = 24314,SA ID = 20):Building packet for encryption.
Oct 15 13:16:54.258: IKEv2:(SESSION ID = 24314,SA ID = 20):Checking if request will fit in peer window
Oct 15 13:16:54.258: IKEv2:(SESSION ID = 24314,SA ID = 20):Sending Packet [To 171.76.186.160:6401/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000007FFFFFFF8 - Responder SPI : 073D2809385BFBEE Message id: 225
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Oct 15 13:16:54.690: IKEv2:(SESSION ID = 24314,SA ID = 20):Received Packet [From 171.76.186.160:6401/To A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 00000007FFFFFFF8 - Responder SPI : 073D2809385BFBEE Message id: 225
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Oct 15 13:16:54.690: IKEv2:(SESSION ID = 24314,SA ID = 20):Processing ACK to informational exchangemon
CCrouter#
Oct 15 13:16:55.028: IKEv2:(SESSION ID = 24163,SA ID = 4):Sending DPD/liveness query
Oct 15 13:16:55.028: IKEv2:(SESSION ID = 24163,SA ID = 4):Building packet for encryption.
Oct 15 13:16:55.029: IKEv2:(SESSION ID = 24163,SA ID = 4):Checking if request will fit in peer window
Oct 15 13:16:55.029: IKEv2:(SESSION ID = 24163,SA ID = 4):Sending Packet [To 106.215.240.161:39880/From A.B.C.D:4500/VRF i0:f0]
Initiator SPI : 0000000DFFFFFFF2 - Responder SPI : 1AA3D364661D0EA7 Message id: 93
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Questions:
1. Does anyone see any evidence of rekeying every 10-11 seconds like the Digi log says?
2. Does that debug show just the DPD traffic?
Ok, my second problem.
Here is what the Cisco shows:
CCrouter#sh crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
171.76.186.206 Gi0/0/0 CORS9 00:50:36 UA
171.76.173.60 Gi0/0/0 CORS8 00:11:26 UA
106.215.187.163 Gi0/0/0 CORS11 00:25:41 UA
27.63.36.4 Gi0/0/0 CORS10 00:34:22 UA
106.215.170.82 Gi0/0/0 CORS13 01:12:53 UA
106.215.170.82 Gi0/0/0 CORS13 00:59:28 UA
106.215.178.60 Gi0/0/0 CORS12 01:47:41 UA
106.215.178.60 Gi0/0/0 CORS12 00:57:43 UA
171.76.178.128 Gi0/0/0 CORS15 00:45:01 UA
171.76.128.246 Gi0/0/0 CORS14 00:50:47 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:04 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:23 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:53 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:43 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:13 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:53 UA
106.215.173.255 Gi0/0/0 CORS3 00:02:13 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:43 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:33 UA
106.215.173.255 Gi0/0/0 CORS3 00:00:34 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:04 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:23 UA
106.215.173.255 Gi0/0/0 CORS3 00:02:04 UA
106.215.173.255 Gi0/0/0 CORS3 00:01:13 UA
220.255.242.218 Gi0/0/0 jserinki7 00:00:48 UA
106.215.223.19 Gi0/0/0 CORS2 00:02:56 UA
106.215.249.132 Gi0/0/0 CORS5 00:46:44 UA
106.215.249.132 Gi0/0/0 CORS5 01:36:43 UA
106.215.131.96 Gi0/0/0 CORS4 00:33:01 UA
106.215.246.156 Gi0/0/0 CORS6 00:49:52 UA
106.215.246.156 Gi0/0/0 CORS6 01:39:50 UA
106.215.173.225 Gi0/0/0 CORS17 00:10:26 UA
171.76.156.184 Gi0/0/0 CORS16 02:54:43 UA
171.76.156.184 Gi0/0/0 CORS16 01:04:42 UA
171.76.182.57 Gi0/0/0 CORS19 00:02:42 UA
Notice the number of live SAs for CORS3? The Cisco says the tunnel is up, but it is not, pings cannot go through.
Here is the Digi event log:
06:39:12, 15 Oct 2020,(1683) IKEv2 Negotiation completed pe,Initiator
06:39:12, 15 Oct 2020,(1683) IKE Negotiation Failed. Peer: ,Retries Exceeded
06:39:12, 15 Oct 2020,(1687) IKE Keys Negotiated. Peer: 103.205.244.106
06:39:11, 15 Oct 2020,(1687) IKE Notification: NATD dest. IP,RX
06:39:11, 15 Oct 2020,(1687) IKE Notification: NATD source IP,RX
06:39:11, 15 Oct 2020,(1687) New IKEv2 Negotiation peer 103.205.244.106,Initiator (Init)
06:39:11, 15 Oct 2020,IKE Request Received From Eroute 0
06:39:02, 15 Oct 2020,(1682) IKEv2 Negotiation completed pe,Initiator
06:39:02, 15 Oct 2020,(1682) IKE Negotiation Failed. Peer: ,Retries Exceeded
06:39:02, 15 Oct 2020,(1686) IKE Keys Negotiated. Peer: 103.205.244.106
06:39:01, 15 Oct 2020,(1686) IKE Notification: NATD dest. IP,RX
06:39:01, 15 Oct 2020,(1686) IKE Notification: NATD source IP,RX
06:39:01, 15 Oct 2020,(1686) New IKEv2 Negotiation peer 103.205.244.106,Initiator (Init)
The Digi shows no SAs up but the Cisco debug shows a successful negotiation.
More form the Cisco:
Interface: GigabitEthernet0/0/0
Profile: SOIprofile
Session status: UP-ACTIVE
Peer: 106.215.173.255 port 64866
Session ID: 23693
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23689
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23687
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23685
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23688
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23684
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23691
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23686
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23683
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23692
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23694
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
Session ID: 23695
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Active
Session ID: 23690
IKEv2 SA: local A.B.C.D/4500 remote 106.215.173.255/64866 Inactive
IPSEC FLOW: permit ip host 1.1.1.10 host 2.2.2.3
Active SAs: 2, origin: dynamic crypto map
You can see that there is one SA in the Cisco that is active and the rest are inactive because the Digi has no negotiated SAs, it keeps sending initiation requests to the Cisco, the Cisco negotiates, believes its negotiated a new SA, sets the old SA as inactive and the process just continues.
The IKEV2 debug shows a successful negotiation as does the IPSec.
The Cisco thinks the tunnels are up, but I cannot ping the other side.
I have tried the following:
clear crypto session remote theipinquestion
clear crypto ikev2 sa remote theipinquestion
The above many times in sequence......
All that happens is that the number of SAs drops down to one and sometimes two and as soon as I stop clearing, they just build back up again and no traffic flows.
This happens about 10% of the time and it only happens in India.
I have exactly the same Digi's in Singapore and set them up with a pre-paid SIM so that it is for sure behind a NAT gateway (confirmed) and I could not get the Digi to behave like this, every time it would bring up the tunnels properly and traffic would flow. In India, this anomaly occurs about 10% of the time, the other 90% the connections work fine.
The only solution we have so far is to send a reboot command to the Digi over SMS. The reboot has to be sent 1-5 times usually. Sometimes it will bring the tunnels up properly after a single reboot, sometimes after the reboot its the same so I need to do it again and again.
I'm really scratching my head on this and I suspect the rekeying traffic I am seeing is related to this.
Note:
I originally had the system setup using IKEV1 but moved to IKEV2 for better security AND in the vane hope that IKEV2 would fix this issue....I got the better security but the connection anomaly remained.
Looking for any ideas some of the Gurus out there might have. I have google this to death with no luck yet. I can post the debugs if you all would like to see those but to me they look exactly the same as a successful negotiation.
Anyhow, if you have any ideas, am all ears.
Cheers,
John
Solved! Go to Solution.
- Labels:
-
FlexVPN
-
Other VPN Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2020 01:47 AM - edited 10-17-2020 02:19 AM
Hello:
Two days ago I added this line in the 4431 under general config mode:
crypto ikev2 fragmentation
Since then, I have not seen issue 2 described above.
If I get another 2-3 days without seeing it, I will update it as solved.
Cheers,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2020 01:22 AM
Hi Moh:
You are correct! I adjusted the dpd periodic settings and sure enough, those Digi messages changed as well.
Thanx for that, I'm looking at just ignoring these messages int he event log so I'm going to close this and call it solved.
Cheers,
john
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2020 01:47 AM - edited 10-17-2020 02:19 AM
Hello:
Two days ago I added this line in the 4431 under general config mode:
crypto ikev2 fragmentation
Since then, I have not seen issue 2 described above.
If I get another 2-3 days without seeing it, I will update it as solved.
Cheers,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2020 11:13 PM
Its been 7 days since the original fix with the fragmentation command and I haven't seen the issue since.
I'm calling this fixed.
Cheers,
john
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2020 11:26 PM
proposals, SA exchange, etc. For second one, you need to check show crypto
ipsec sa to confirm that VPN is up. These might be phase-1 only which
matches what digi is saying cuz ipsec sas aren't up.
>From both symptoms, it seems that the common part between them is DPDs and
IKE messages from cisco are not reaching digi. Hence digi is doing rekey
cuz DPDs are not received and digi is showing vpn inactive cuz the response
with acceptable proposals isn't received.
Check the stability of your GPRS and whether they pass IKE
messages with/without nat-t successfully.
**** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2020 01:22 AM
Hi Moh:
You are correct! I adjusted the dpd periodic settings and sure enough, those Digi messages changed as well.
Thanx for that, I'm looking at just ignoring these messages int he event log so I'm going to close this and call it solved.
Cheers,
john
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2020 11:35 PM
Ok, so it turns out this is NOT solved.
The day after I posted it was solved, the issue cam roaring back.
Am reading over rfc5996 over and over to try and get to the bottom of this.
The ISR4431 accepts the phase 1 and phase 2 proposals from the Digi and declares the tunnel up.
The logs from the Digi show that it authenticates phase 1 and phase 2 its says failed after too many retires.
I have attempted clearing crypto sessions on the Cisco side, clearing crypto ikev2 sa on the Cisco side, doesn't help.
So far, the only solution is an sms controlled reboot(s) of the digi. Sometimes up to 4-5 reboots are necessary.
All sites behave similarly.
Cheers,
john
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: