Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
1
Helpful
24
Replies

l2l vpn Auth exchange failed betweeen Cisco ASA and Huawei router

Niss.comps
Level 1
Level 1

‎08-28-2024 05:42 AM - edited ‎08-28-2024 05:46 AM

Hello Guys,

I was trying to configure IKEv2 l2l vpn b/n asa which is at my end and Huawei router which is remote peer. The tunnel will not come up with error "Auth exchange failed".  Below is debug and packet-tracer outputs. please help.

IKEv2-PROTO-4: (1382): Received Packet [From RemotePeerIp:4500/To LocalPeerIp:4500/VRF i0:f0]

(1382): Initiator SPI : A5DD10C2FC4C7696 - Responder SPI : 863E42197DD3FC45 Message id: 1

(1382): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (1382): Next payload: ENCR, version: 2.0 (1382): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (1382): Message id: 1, length: 80(1382):

Payload contents:

(1382):

(1382): Decrypted packet:(1382): Data: 80 bytes

(1382): REAL Decrypted packet:(1382): Data: 8 bytes

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH IKEv2-PROTO-7: (1382): Action: Action_Null

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY IKEv2-PROTO-4: (1382): Process auth response notify

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL IKEv2-PROTO-4: (1382): Auth exchange failed

IKEv2-PROTO-2: (1382): Auth exchange failed IKEv2-PROTO-2: (1382): Auth exchange failed IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT

IKEv2-PROTO-7: (1382): SM Trace-> SA: I_SPI=A5DD10C2FC4C7696 R_SPI=863E42197DD3FC45 (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-4: (1382): Abort exchange

IKEv2-PROTO-4: (1382): Deleting SA

packet tracer output
==================

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b4ea32c5920, priority=70, domain=encrypt, deny=false

hits=8996, user_data=0x0, cs_id=0x2b4e96391760, reverse, flags=0x0, protocol=0

src ip/id=LocalNatIP, mask=255.255.255.255, port=0, tag=any

dst ip/id=RemoteLANIP, mask=255.255.255.255, port=0, tag=any, dscp=0x0

input_ifc=any(vrfid:65535), output_ifc=OUTSIDE_IF

Result: input-interface: INSIDE_IF(vrfid:0)

input-status: up

input-line-status: up

output-interface: OUTSIDE_IF(vrfid:0)

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d14c10d3b6 flow (need-ike)/snp_sp_action_cb:1575

Labels:
0 Helpful
24 Replies 24

MHM Cisco World
VIP
VIP

‎08-28-2024 06:16 AM

Debug crypto ikev2 255 

Share this 

Also share 

Show crypto ikev2 sa details 

MHM

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 01:59 AM

Hello MHM,

I have attached the debug file.

IKEv2-PROTO-2: (1697): Auth exchange failed

IKEv2-PROTO-4: (1659): Process delete request from peer

IKEv2-PROTO-4: (1659): Deleting SA
IKEv2-PLAT-2: (1659): crypto map peer index gets reset for tag CRYPTO_MAP and seqno 17
IKEv2-PLAT-4: (1659): IKEv2 session deregistered from session manager. Reason: 4
IKEv2-PLAT-4: (1659): session manager killed ikev2 tunnel. Reason: User Requested
IKEv2-PLAT-4: (1659): Deleted associated IKE flow: OUTSIDE_IF, LocalPeerIP:37905 <-> RemotePeerIP:37905

'Show crypto ikev2 sa details' command for the peer displays empty since the tunnel is not established yet.

Thank you

Preview file
345 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to Niss.comps

‎08-29-2024 04:50 AM 

IKEv2-PROTO-4: (1629): NAT INSIDE found

NAT detect inside not outside' which interface you use to connect both Peer ?

MHM

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 07:31 AM

The vpn is over the Internet. Both peers are reachable through their public ip addresses. My local real host address is natted to another address before traversing the tunnel.
My side ASA:
Nat(inside_if, outside_if) source static real_address natted_address destination static remote_address remote_address no-proxy-arp

Remote side:
No natting applied for remote address. 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Niss.comps

‎08-29-2024 07:36 AM

Nat(inside_if, outside_if) source static real_address natted_address destination static remote_address remote_address no-proxy-arp <<- this NAT is ok if you use natted-address in ACL of VPN

But the issue is VPN' why NAT detect inside' which IP you use vpn' ip of outside interface?

MHM

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 07:41 AM

Yes, the crypto acl sources from my natted ip to remote address.

The natted_address for my real host address is not the same as the public ip address assigned to my outside_if. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Niss.comps

‎08-29-2024 07:46 AM

So remote Peer hauwai use ASA outside IP as set peer ? 

If Yes then it OK

Last check hauwai if run NAT-T or not

MHM 

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 11:51 PM

Hello MHM, 

The Huawei router uses my asa's public address as peer address. 

Nat traversal is also enabled on the Huawei router. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Niss.comps

‎08-31-2024 04:08 AM

Use capture in outside of ASA 

Match host <public IP of Huawei>

Share output here 

Thanks 

MHM

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2024 11:28 PM

Attached it.

Thanks too.

Preview file
9 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to Niss.comps

‎09-02-2024 11:20 AM

can you share packet-tracer between ASA LAN to Huawei LAN 
and then packet-tracer between Huawei LAN to ASA LAN 
note:- dont use ASA interface IP in packet tracer use any other IP from LAN subnet 
Screenshot (168).png

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-03-2024 02:21 PM

Any update 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-05-2024 12:19 AM

waiting happy news

MHM

0 Helpful

Niss.comps
Level 1
Level 1
In response to MHM Cisco World

‎09-06-2024 01:17 AM

Hello,

Below is capture from ASA side.

10 packets captured

1: 06:21:20.006332 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
2: 06:21:25.000610 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
3: 06:21:29.989664 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
4: 06:21:34.990442 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
5: 06:21:40.000808 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
6: 06:21:44.992639 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
7: 06:21:50.008864 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
8: 06:21:54.995065 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
9: 06:22:00.002242 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request
10: 06:22:05.004882 ASA_InsideLAN > Huawei_InsideLAN icmp: echo request

I will also share capture from remote end once the remote admin shares me the capture.

Thanks and i apologize for the delay.

 

0 Helpful
Customers Also Viewed These Support Documents