Solved: L2L IKEV2 IPSEC VTI ROUTE BASED VPN - WONT ESTABLISH - ASA 9.10(1)17

Prime56 · ‎02-16-2022

EDIT: PLEASE IGNORE. MY PRIMARY INTERNET AT THIS SITE IS DOWN.

Hi all,

I was going through my sites to configure these tunnels on. I get them up nice and easy with a config template paste but this one ASA just doesn't want to work. I've redone the config as well on both sides, nothing. I don't want to say its the remote side config as it's working for every other site. I don't get much debug output, but on the problematic ASA this is my output.

Any ideas?

IKEv2-PLAT-5: (55): SENT PKT [IKE_SA_INIT] [$REMOTE_ASA_IP]:500->[$MAIN_ASA_IP]:500 InitSPI=0x2d536454d12b92b7 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-2: (55): Maximum number of retransmissions reached
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (55): Failed SA init exchange
IKEv2-PROTO-2: (55): Initial exchange failed
IKEv2-PROTO-2: (55): Initial exchange failed
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PLAT-7: Negotiating SA request deleted
IKEv2-PLAT-7: Decrement count for outgoing negotiating
IKEv2-PROTO-7: (55): SM Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (55): Abort exchange
IKEv2-PROTO-4: (55): Deleting SA
IKEv2-PLAT-4: (55): PSH cleanup
IKEv2-PLAT-4: Received PFKEY delete SA for SPI 0x715B668A error FALSE
IKEv2-PLAT-4: PFKEY Delete Ack from IPSec

Prime56 · ‎02-17-2022

I was doing the config remotely, and I realized that my primary outside internet connection was down.....so it was using my backup (which has a completely different public IP) so thats why it wasn't connecting

View solution in original post

MHM Cisco World · ‎02-17-2022

show crypto ipsec sa detail in ASA,
local address must be the tunnel source
current peer must be the tunnel destination

wait your reply.

MHM Cisco World · ‎02-17-2022

as I understand from your other post that issue is solve by change the VTI to S2S IPSec?

Prime56 · ‎02-17-2022

I was doing the config remotely, and I realized that my primary outside internet connection was down.....so it was using my backup (which has a completely different public IP) so thats why it wasn't connecting

Sheraz.Salim · ‎02-17-2022

looking into the logs

M Trace-> SA: I_SPI=2D536454D12B92B7 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT

seen like the remote site is not responding at all. is the tunnel is configured on the other side? what logs you see on the remote side (if you have access to it?)

1. check the phase 1 is setup properly on the remote end

2. make sure the encryption are matched on both firewalls

also show us the config and debug on the both devices.

please do not forget to rate.