Re: L2l Failure - Packet is missing KE payload

TRENT WAITE · ‎10-18-2018

I have a site to site tunnel between an ASA5525x and the other side I believe is either Watchguard or Sonicwall, it is a device outside of our management. This has happened once before where the tunnel just fails. I am assuming that KE is key exchange, but other than that I have no idea what is the cause of this tunnel failing. I am not as familiar with debugging IKEv2 whereas IKEV1 was a little bit more understandable (for me at least) with the IKE failures. So I am wondering what are the possible causes to "Packet is missing KE payload". I have a feeling that with this failing at IKE_SA_INIT message that this could be caused by mis-match DH keys. Our first proposals is policy 1 "group 5 2", then policy 2 "group 5" and after policy 3 "group 2". While this works with 95% of our tunnels to other ASA's with exact matching proposals, since this is a non-ASA it could be the cause? If it was purely straight up mismatch of DH groups, I have seen different error message directly indicating DH group mis-match. This particular problem is not showing that in debug.

IKEv2-PROTO-2: (526): Received Packet [From 6x.xx.xx.xx:500/To 3x.xx.xx.xx:500/VRF i0:f0]
(526): Initiator SPI : 2C579DFFCF37DEA1 - Responder SPI : 0000000000000000 Message id: 0
(526): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-3: (526): Next payload: NOTIFY, version: 2.0 (526): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (526): Message id: 0, length: 36(526):
Payload contents:
(526): NOTIFY(Unknown - 43)(526): Next payload: NONE, reserved: 0x0, length: 8
(526): Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
(526):
(526): Decrypted packet:(526): Data: 36 bytes
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (526): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (526): Processing IKE_SA_INIT message
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-2: (526): Verify SA init message
IKEv2-PROTO-1: (526): Packet is missing KE payload
IKEv2-PROTO-1: (526):
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-2: (526): Failed SA init exchange
IKEv2-PROTO-1: (526): Initial exchange failed
IKEv2-PROTO-1: (526): Initial exchange failed
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (526): SM Trace-> SA: I_SPI=2C579DFFCF37DEA1 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (526): Abort exchange
IKEv2-PROTO-2: (526): Deleting SA

Rahul Govindan · ‎10-18-2018

Looks like something is not configured correctly on the other side. The peer device (initiator) should have sent the KE payload in the INIT message. It is strange that the other device even sends a proposal without the KE payload.

Can you enable the following debug also if not done already:

debug crypto ikev2 platform 127

Does this happen every time or just during a rekey?

TRENT WAITE · ‎10-18-2018

Rahul, thanks for your reply. I did a debug platform and got the following:

ASA5525# IKEv2-PLAT-2: (1506): Decrypt success status returned via ipc 1
IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 1 peer doesn't match map entry
IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 4 is incomplete
IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 5 peer doesn't match map entry
IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 8 is incomplete
IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 21 is incomplete
IKEv2-PLAT-2: (1506): PROXY MATCH on crypto map OUTSIDE_MAP seq 22
IKEv2-PLAT-1: (1506): Rejecting child SA with the same traffic selectors as existing child SA - local protocol: 0 local selector: 10.x.x.x/0 - 10.x.x.x/65535 remote protocol: 0 remote selector: 10.xy.xy.xy/0 - 10.xy.xy.xy/65535
IKEv2-PLAT-2: (1506): Encrypt success status returned via ipc 1
IKEv2-PLAT-3: (1506): SENT PKT [CREATE_CHILD_SA] [3x.xx.xx.xx]:500->[Sxxxyyy]:500 InitSPI=0x5062c9323081e4c0 RespSPI=0x5c10eb1d17fb53dc MID=00000007
IKEv2-PLAT-2: (1506): Encrypt success status returned via ipc 1
IKEv2-PLAT-3: (1506): SENT PKT [INFORMATIONAL] [3x.xx.xx.xx]:500->[Sxxxyyy]:500 InitSPI=0x5062c9323081e4c0 RespSPI=0x5c10eb1d17fb53dc MID=000000ad
IKEv2-PLAT-2: (1506): Decrypt success status returned via ipc 1

So far this has happened twice, this second time it was up for about 9 days without issue. (IKEv2 configured lifetime is 24 hours). The above debug in bold had me somewhat confused, specifically "existing child SA". I checked isakmp and found I did have an SA. Once I cleared that (clear crypto ikev2 sa 6x.xx.xx.xx) the tunnel comes up, both IKE and IPSEC. Now however I am still not getting any traffic response from the remote end device. However debug on IKEv2 protocal no longer shows the initial failures, specifically the "Packet is missing KE payload".

So I am a few steps forward at least