Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
1
Helpful
5
Replies

L2L VPN tunnel won't come up

Go to solution
erik.hammervold
Level 1
Level 1

‎11-02-2023 01:00 AM - edited ‎11-02-2023 01:52 AM

Hello experts

 

I have a L2L tunnel I don't seem to get started. It seems to me that Phase1 is OK, but fails immediately when trying to pass traffic and establish SA's.

We use PSK with IKEv2 


I have been trying to check the configuration and it seems ok to me. I don't have control over the other side, however I have checked with the that the Proposal, PSK transform-set is OK.

We have a ASR920 and the other side is a ASR1K. I can't see if there is a config snafoo or something other wrong. Is there anyone out there who sees what the problem might bee?

I have to obfuscate the config, so it might not be possible to see if there is a address mishap, but any help would be valuable.

 

I have a debug which ends with TS_UNACCEPTABLE and afaik this points to the cryptomap/ACL or PSK, but the ACL/PSK is identical on both sides and have verified this with the other side of the tunnel.



Adding washed config and a debug as attachment.

 



Erik
Labels:
Preview file
8 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
erik.hammervold
Level 1
Level 1

‎11-02-2023 08:03 AM

We got this solved in the end.

The problem was that the ACL in some way the TrafficSelector did not take effect. It showed all the right values and appeared in show commands etc, but failed to take effect when receiving traffic. 

We have removed the config and put it back several times, with no change. But reconfigured with another setup (which also failed) and back to the original ... suddenly the tunnel came up like magic.

Diffed the config and its the same.... anyhow... Solved. moving on.



Erik

View solution in original post

0 Helpful
5 Replies 5

Go to solution
M02@rt37
VIP
VIP

‎11-02-2023 01:29 AM

Hello @erik.hammervold,

NOTIFY(TS_UNACCEPTABLE) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: TS_UNACCEPTABLE

This "TS_UNACCEPTABLE" error suggests that there's a problem with the negotiation of the traffic selectors between the two peers. Traffic selectors define which traffic should be protected by the IPsec tunnel.

You should:

--Double-check that the traffic selectors on both sides of the tunnel match exactly. Ensure that the configured traffic selectors encompass the traffic you want to protect. The error might occur if the traffic selectors are not in sync between peers.

--Make sure the ACL referenced in the crypto map matches the traffic you want to encrypt. The ACL should align with the traffic selectors.

--Confirm that the encryption and hash algorithms used in the transform set 'esp-aes 256 esp-sha-hmac' match on both sides of the tunnel.

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
erik.hammervold
Level 1
Level 1
In response to M02@rt37

‎11-02-2023 04:44 AM

Hi

Thanks for the reply

Yes the TS_UNACCEPTABLE seems to indicate a problem with the traffic selector, but we have taken an extra check on this to double-triple-check this, and I got access to the peer config as well to compare.
The ACL is as simple as we can make it:

Extended IP access list <ACL>
10 permit ip any 10.xx.0.0 0.0.7.255

Also the transform-set has been verified in a side-by-side comparison.



Erik
0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to erik.hammervold

‎11-02-2023 05:51 AM

OK @erik.hammervold,

Verify that the clocks and timezones on both ASR920 and ASR1K are synchronized. Time differences can cause issues during SA negotiations.

Also, i. IKEv2, Child SA parameters need to be compatible on both sides. Make sure that the encryption and integrity algorithms, PFS settings, and lifetime values are identical in the child SA settings.

Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
erik.hammervold
Level 1
Level 1

‎11-02-2023 08:03 AM

We got this solved in the end.

The problem was that the ACL in some way the TrafficSelector did not take effect. It showed all the right values and appeared in show commands etc, but failed to take effect when receiving traffic. 

We have removed the config and put it back several times, with no change. But reconfigured with another setup (which also failed) and back to the original ... suddenly the tunnel came up like magic.

Diffed the config and its the same.... anyhow... Solved. moving on.



Erik
0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to erik.hammervold

‎11-02-2023 08:09 AM

Great news @erik.hammervold !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents