cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
1
Helpful
24
Replies

l2l vpn Auth exchange failed betweeen Cisco ASA and Huawei router

Niss.comps
Level 1
Level 1

Hello Guys,

I was trying to configure IKEv2 l2l vpn b/n asa which is at my end and Huawei router which is remote peer. The tunnel will not come up with error "Auth exchange failed".  Below is debug and packet-tracer outputs. please help.

IKEv2-PROTO-4: (1382): Received Packet [From RemotePeerIp:4500/To LocalPeerIp:4500/VRF i0:f0]

(1382): Initiator SPI : A5DD10C2FC4C7696 - Responder SPI : 863E42197DD3FC45 Message id: 1

(1382): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (1382): Next payload: ENCR, version: 2.0 (1382): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (1382): Message id: 1, length: 80(1382):

Payload contents:

(1382):

(1382): Decrypted packet:(1382): Data: 80 bytes

(1382): REAL Decrypted packet:(1382): Data: 8 bytes

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH IKEv2-PROTO-7: (1382): Action: Action_Null

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY IKEv2-PROTO-4: (1382): Process auth response notify

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL IKEv2-PROTO-4: (1382): Auth exchange failed

IKEv2-PROTO-2: (1382): Auth exchange failed IKEv2-PROTO-2: (1382): Auth exchange failed IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-4: (1382): Abort exchange

IKEv2-PROTO-4: (1382): Deleting SA

packet tracer output
==================

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b4ea32c5920, priority=70, domain=encrypt, deny=false

hits=8996, user_data=0x0, cs_id=0x2b4e96391760, reverse, flags=0x0, protocol=0

src ip/id=LocalNatIP, mask=255.255.255.255, port=0, tag=any

dst ip/id=RemoteLANIP, mask=255.255.255.255, port=0, tag=any, dscp=0x0

input_ifc=any(vrfid:65535), output_ifc=OUTSIDE_IF

Result: input-interface: INSIDE_IF(vrfid:0)

input-status: up

input-line-status: up

output-interface: OUTSIDE_IF(vrfid:0)

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d14c10d3b6 flow (need-ike)/snp_sp_action_cb:1575

24 Replies 24

Debug crypto ikev2 255 

Share this 

Also share 

Show crypto ikev2 sa details 

MHM

Hello MHM,

I have attached the debug file.

IKEv2-PROTO-2: (1697): Auth exchange failed

IKEv2-PROTO-4: (1659): Process delete request from peer

IKEv2-PROTO-4: (1659): Deleting SA
IKEv2-PLAT-2: (1659): crypto map peer index gets reset for tag CRYPTO_MAP and seqno 17
IKEv2-PLAT-4: (1659): IKEv2 session deregistered from session manager. Reason: 4
IKEv2-PLAT-4: (1659): session manager killed ikev2 tunnel. Reason: User Requested
IKEv2-PLAT-4: (1659): Deleted associated IKE flow: OUTSIDE_IF, LocalPeerIP:37905 <-> RemotePeerIP:37905

'Show crypto ikev2 sa details' command for the peer displays empty since the tunnel is not established yet.

Thank you

IKEv2-PROTO-4: (1629): NAT INSIDE found

NAT detect inside not outside' which interface you use to connect both Peer ?

MHM

The vpn is over the Internet. Both peers are reachable through their public ip addresses. My local real host address is natted to another address before traversing the tunnel.
My side ASA:
Nat(inside_if, outside_if) source static real_address natted_address destination static remote_address remote_address no-proxy-arp

Remote side:
No natting applied for remote address. 

 

Nat(inside_if, outside_if) source static real_address natted_address destination static remote_address remote_address no-proxy-arp <<- this NAT is ok if you use natted-address in ACL of VPN

But the issue is VPN' why NAT detect inside' which IP you use vpn' ip of outside interface?

MHM

Yes, the crypto acl sources from my natted ip to remote address.

The natted_address for my real host address is not the same as the public ip address assigned to my outside_if. 

So remote Peer hauwai use ASA outside IP as set peer ? 

If Yes then it OK

Last check hauwai if run NAT-T or not

MHM 

Hello MHM, 

The Huawei router uses my asa's public address as peer address. 

Nat traversal is also enabled on the Huawei router. 

Use capture in outside of ASA 

Match host <public IP of Huawei>

Share output here 

Thanks 

MHM

Attached it.

Thanks too.

can you share packet-tracer between ASA LAN to Huawei LAN 
and then packet-tracer between Huawei LAN to ASA LAN 
note:- dont use ASA interface IP in packet tracer use any other IP from LAN subnet 
Screenshot (168).png

Any update 

MHM

waiting happy news

MHM

Hello,

Below is capture from ASA side.

10 packets captured

1: 06:21:20.006332 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
2: 06:21:25.000610 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
3: 06:21:29.989664 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
4: 06:21:34.990442 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
5: 06:21:40.000808 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
6: 06:21:44.992639 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
7: 06:21:50.008864 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
8: 06:21:54.995065 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
9: 06:22:00.002242 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
10: 06:22:05.004882 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request

I will also share capture from remote end once the remote admin shares me the capture.

Thanks and i apologize for the delay.