02-16-2022 05:11 PM - edited 02-16-2022 05:34 PM
EDIT: PLEASE IGNORE. MY PRIMARY INTERNET AT THIS SITE IS DOWN.
Hi all,
I was going through my sites to configure these tunnels on. I get them up nice and easy with a config template paste but this one ASA just doesn't want to work. I've redone the config as well on both sides, nothing. I don't want to say its the remote side config as it's working for every other site. I don't get much debug output, but on the problematic ASA this is my output.
Any ideas?
IKEv2-PLAT-5: (55): SENT PKT [IKE_SA_INIT] [$REMOTE_ASA_IP]:500->[$MAIN_ASA_IP]:500 InitSPI=0x2d536454d12b92b7 RespSPI=0x0000000000000000 MID=00000000 IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED IKEv2-PROTO-2: (55): Maximum number of retransmissions reached IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL IKEv2-PROTO-4: (55): Failed SA init exchange IKEv2-PROTO-2: (55): Initial exchange failed IKEv2-PROTO-2: (55): Initial exchange failed IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT IKEv2-PLAT-7: Negotiating SA request deleted IKEv2-PLAT-7: Decrement count for outgoing negotiating IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-4: (55): Abort exchange IKEv2-PROTO-4: (55): Deleting SA IKEv2-PLAT-4: (55): PSH cleanup IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0x715B668A error FALSE IKEv2-PLAT-4: PFKEY Delete Ack from IPSec
Solved! Go to Solution.
02-17-2022 02:31 PM
I was doing the config remotely, and I realized that my primary outside internet connection was down.....so it was using my backup (which has a completely different public IP) so thats why it wasn't connecting
02-17-2022 08:52 AM
show crypto ipsec sa detail in ASA,
local address must be the tunnel source
current peer must be the tunnel destination
wait your reply.
02-17-2022 02:15 PM
as I understand from your other post that issue is solve by change the VTI to S2S IPSec?
02-17-2022 02:31 PM
I was doing the config remotely, and I realized that my primary outside internet connection was down.....so it was using my backup (which has a completely different public IP) so thats why it wasn't connecting
02-17-2022 02:27 PM
looking into the logs
M Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
seen like the remote site is not responding at all. is the tunnel is configured on the other side? what logs you see on the remote side (if you have access to it?)
1. check the phase 1 is setup properly on the remote end
2. make sure the encryption are matched on both firewalls
also show us the config and debug on the both devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide