Solved: Re: phase 1 ko, impossible to bring up IKEv2 s2s tunnel ASA

MaErre21325 · ‎11-23-2021

hello everybody,

i'm getting crazy to understand why an ipsec tunnel is not coming up.

configuration of phase1 seems corrrect but it does not want to come up!

i ran severals debug but can't undestand where's the problem, folllowing my and remote peers configurations and debug:

peer's side:

PHASE 1:
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 14
prf sha512
lifetime seconds 86400

PHASE2:
crypto map outside_map 20 set pfs group14
crypto map outside_map 20 set peer 50.x.x.x
crypto map outside_map 20 set ikev2 ipsec-proposal ESP-AES256-SHA512
crypto map outside_map 20 set security-association lifetime seconds 3600

my side:

phase1

crypto ikev2 policy 3

encryption aes-256

integrity sha512

group 14

prf sha512

lifetime seconds 86400

phase2

crypto map OUTSIDE_map 13 set pfs

crypto map OUTSIDE_map 13 set peer 100.x.x.x

crypto map OUTSIDE_map 13 set ikev2 ipsec-proposal AES256-SHA512

crypto map OUTSIDE_map 13 set ikev2 pre-shared-key *****

crypto map OUTSIDE_map 13 set security-association lifetime seconds 3600

crypto map OUTSIDE_map 13 set security-association lifetime kilobytes unlimited

the only different statement missing on peer's side are:

crypto map OUTSIDE_map 13 set ikev2 pre-shared-key *****

crypto map OUTSIDE_map 13 set security-association lifetime kilobytes unlimited

following my debug:

IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (20060): Setting configured policies
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
IKEv2-PROTO-7: (20060): Opening a PKI session
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (20060): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (20060): Request queued for computation of DH key
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (20060): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (20060): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 5
(20060): AES-CBC(20060): SHA1(20060): SHA96(20060): DH_GROUP_1536_MODP/Group 5(20060): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (20060): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
(20060): AES-CBC(20060): SHA256(20060): SHA256(20060): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (20060): IKE Proposal: 3, SPI size: 0 (initial negotiation),
Num. transforms: 4
(20060): AES-CBC(20060): SHA512(20060): SHA512(20060): DH_GROUP_2048_MODP/Group 14(20060):
IKEv2-PROTO-4: (20060): Sending Packet [To 100.x.x.x:500/From 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : 0000000000000000 Message id: 0
(20060): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (20060): Next payload: SA, version: 2.0 (20060): Exchange type: IKE_SA_INIT, flags: INITIATOR (20060): Message id: 0, length: 550(20060):
Payload contents:
(20060): SA(20060): Next payload: KE, reserved: 0x0, length: 144
(20060): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(20060): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(20060): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(20060): KE(20060): Next payload: N, reserved: 0x0, length: 200
(20060): DH group: 5, Reserved: 0x0
(20060):
(20060): 29 00 a5 f6 52 01 89 e2 4b 44 d9 93 cb 79 67 94
(20060): ac 8e 35 a9 24 ae 66 4d 38 8a c5 44 80 04 72 17
(20060): ec 92 dc b1 29 e5 67 03 a8 2c 60 a3 da b4 75 23
(20060): c5 e0 fd bb 19 f1 ae 5d 9c ce 77 cb 3c e9 b3 24
(20060): bd 11 f8 45 9a a5 c1 34 fb 83 0e 7f 81 e9 f6 c7
(20060): de 34 d1 06 2e ea a6 0e 0b 89 eb 38 7a 40 3f c9
(20060): d4 ab b2 dd 4e 49 d5 9a b1 84 f7 53 64 9b 78 a3
(20060): 9b 6a 5a e9 cf 1a 84 a0 01 da a8 1f 6a cb d3 ce
(20060): 0f 84 53 e1 51 f4 e8 73 a8 fd 2f de 2a 90 ad b6
(20060): 03 80 46 5a 1d 5a 1d cf 64 4d 6e d1 f0 76 05 66
(20060): 03 26 92 2e 5f 5b c1 d5 ef ba 51 be 9b 53 6b 6d
(20060): 85 14 56 43 e4 af 29 60 7b b7 05 70 32 ee f2 2c
(20060): N(20060): Next payload: VID, reserved: 0x0, length: 68
(20060):
(20060): b6 4f 2e 50 cd 2f 38 6e cd e9 60 fa 59 b2 f5 3c
(20060): da 30 66 18 ff 9c 6e 8b 0a 67 af 92 86 c2 e9 17
(20060): 0e f4 a6 2d ad ee f6 1c 1d f4 ab 3a b6 ed e0 8d
(20060): 07 76 1b 6a 31 5f c4 cc 07 3c c1 ae a0 ba c2 51
(20060): VID(20060): Next payload: VID, reserved: 0x0, length: 23
(20060):
(20060): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(20060): 53 4f 4e
(20060): VID(20060): Next payload: NOTIFY, reserved: 0x0, length: 59
(20060):
(20060): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(20060): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(20060): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(20060): 73 2c 20 49 6e 63 2e
(20060): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(20060): Next payload: VID, reserved: 0x0, length: 8
(20060): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(20060): VID(20060): Next payload: NONE, reserved: 0x0, length: 20
(20060):
(20060): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(20060):
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (20060): Insert SA
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(20060):
IKEv2-PROTO-4: (20060): Received Packet [From 100.x.x.x:500/To 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : 0000000000000000 Message id: 0
(20060): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (20060): Next payload: NOTIFY, version: 2.0 (20060): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (20060): Message id: 0, length: 38(20060):
Payload contents:
(20060): NOTIFY(INVALID_KE_PAYLOAD)(20060): Next payload: NONE, reserved: 0x0, length: 10
(20060): Security protocol id: IKE, spi size: 0, type: INVALID_KE_PAYLOAD
(20060):
(20060): 00 02
(20060):
(20060): Decrypted packet:(20060): Data: 38 bytes
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (20060): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (20060): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_INV_KE
IKEv2-PROTO-4: (20060): Processing invalid ke notification, we sent group 5, peer prefers group 2
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (20060): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
IKEv2-PROTO-4: (20060): Request queued for computation of DH key
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (20060): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (20060): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 5
(20060): AES-CBC(20060): SHA1(20060): SHA96(20060): DH_GROUP_1536_MODP/Group 5(20060): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (20060): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
(20060): AES-CBC(20060): SHA256(20060): SHA256(20060): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (20060): IKE Proposal: 3, SPI size: 0 (initial negotiation),
Num. transforms: 4
(20060): AES-CBC(20060): SHA512(20060): SHA512(20060): DH_GROUP_2048_MODP/Group 14(20060):
IKEv2-PROTO-4: (20060): Sending Packet [To 100.x.x.x:500/From 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : 0000000000000000 Message id: 0
(20060): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (20060): Next payload: SA, version: 2.0 (20060): Exchange type: IKE_SA_INIT, flags: INITIATOR (20060): Message id: 0, length: 486(20060):
Payload contents:
(20060): SA(20060): Next payload: KE, reserved: 0x0, length: 144
(20060): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(20060): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(20060): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(20060): KE(20060): Next payload: N, reserved: 0x0, length: 136
(20060): DH group: 2, Reserved: 0x0
(20060):
(20060): e6 df 46 72 ba dc ce e1 24 93 57 31 7e 1f d8 35
(20060): b2 a1 14 e0 bc 13 15 0d af a8 dd 5f 63 3f 13 72
(20060): 1e 65 89 9a cb 1c 99 62 e7 eb 81 9e 2a c2 a4 62
(20060): da 74 2e 7a d1 7a e2 c7 18 79 b4 f4 6d d8 1a 60
(20060): cf d1 d4 13 bc 48 6e 0f 3a 42 f5 d2 e7 9f 7d 93
(20060): ab c9 92 cd 18 d2 59 54 91 6d c5 dd 00 91 04 92
(20060): 77 1c eb 3a 2e 1c 41 ae 84 77 8f 5f e8 4d eb 75
(20060): 42 c0 ac 8f cf c3 a5 c6 5a 82 9b d7 9e fe 04 dd
(20060): N(20060): Next payload: VID, reserved: 0x0, length: 68
(20060):
(20060): e5 32 54 dd 67 8c ee a4 5c 90 e9 7d 18 ec c7 78
(20060): b6 b8 a1 48 99 96 92 7b 9f 47 b9 d3 ac 79 e9 2d
(20060): ab 4d ec b4 c4 14 f7 3f 4b dc 15 e2 c6 45 d6 1c
(20060): 52 88 87 20 0e 8b 23 38 e0 a3 0d 96 42 e0 c9 b7
(20060): VID(20060): Next payload: VID, reserved: 0x0, length: 23
(20060):
(20060): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(20060): 53 4f 4e
(20060): VID(20060): Next payload: NOTIFY, reserved: 0x0, length: 59
(20060):
(20060): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(20060): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(20060): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(20060): 73 2c 20 49 6e 63 2e
(20060): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(20060): Next payload: VID, reserved: 0x0, length: 8
(20060): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(20060): VID(20060): Next payload: NONE, reserved: 0x0, length: 20
(20060):
(20060): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(20060):
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(20060):
IKEv2-PROTO-4: (20060): Received Packet [From 100.x.x.x:500/To 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 0
(20060): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (20060): Next payload: SA, version: 2.0 (20060): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (20060): Message id: 0, length: 475(20060):
Payload contents:
(20060): SA(20060): Next payload: KE, reserved: 0x0, length: 48
(20060): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(20060): KE(20060): Next payload: N, reserved: 0x0, length: 136
(20060): DH group: 2, Reserved: 0x0
(20060):
(20060): bd be 36 98 0d 93 60 ad b9 7c 52 2f 22 08 6f ff
(20060): 9c e7 7f 8e 13 51 2c 86 06 3e 92 52 ee 17 75 dc
(20060): 38 e8 a8 96 27 1f 59 92 02 03 ba ad 23 a2 0d 30
(20060): 51 b3 90 16 46 2e 00 1d d9 68 f1 29 0c 2a 02 21
(20060): bd 12 1a 4a d5 c4 4d ce ef d1 b3 b1 21 cf 7f 0b
(20060): e5 54 41 04 0f 4e 6b 2f a8 48 4c f6 de 22 35 03
(20060): 9c ca 31 a2 d2 e6 83 42 97 5f fe 20 3d 22 95 f2
(20060): ee bd fe 0c 5d e4 27 9c 45 2f d5 70 75 8c a2 96
(20060): N(20060): Next payload: VID, reserved: 0x0, length: 68
(20060):
(20060): 8d 2c 1e 59 02 7f fa 02 fa 12 a4 70 6e f6 90 72
(20060): 40 be 1f 2a 23 88 5d 13 ae 95 c4 d0 6e 2c f1 ce
(20060): 1c 8b 86 f5 98 ce d5 95 7b 3a 5c 66 f3 6b 72 f7
(20060): 6d cf 91 9a d0 ac 01 a8 04 98 30 af 00 f7 de 61
(20060): VID(20060): Next payload: VID, reserved: 0x0, length: 23
(20060):
(20060): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(20060): 53 4f 4e
(20060): VID(20060): Next payload: CERTREQ, reserved: 0x0, length: 59
(20060):
(20060): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(20060): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(20060): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(20060): 73 2c 20 49 6e 63 2e
(20060): CERTREQ(20060): Next payload: NOTIFY, reserved: 0x0, length: 85
(20060): Cert encoding X.509 Certificate - signature
(20060): CertReq data: 80 bytes
(20060): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(20060): Next payload: VID, reserved: 0x0, length: 8
(20060): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(20060): VID(20060): Next payload: NONE, reserved: 0x0, length: 20
(20060):
(20060): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(20060):
(20060): Decrypted packet:(20060): Data: 475 bytes
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (20060): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (20060): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (20060): Verify SA init message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (20060): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (20060): Process NAT discovery notify
IKEv2-PROTO-4: (20060): NAT-T is disabled
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (20060): Checking NAT discovery
IKEv2-PROTO-4: (20060): NAT not found
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (20060): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
IKEv2-PROTO-4: (20060): Request queued for computation of DH secret
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (20060): Generate skeyid
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (20060): IETF Fragmentation is enabled
IKEv2-PROTO-4: (20060): Cisco Fragmentation is enabled
IKEv2-PROTO-7: (20060): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (20060): Completed SA init exchange
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (20060): Check for EAP exchange
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (20060): Generate my authentication data
IKEv2-PROTO-4: (20060): Use preshared key for id 50.x.x.x, key len 24
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (20060): Get my authentication method
IKEv2-PROTO-4: (20060): My authentication method is 'PSK'
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (20060): Check for EAP exchange
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (20060): Generating IKE_AUTH message
IKEv2-PROTO-4: (20060): Constructing IDi payload: '50.x.x.x' of type 'IPv4 address'
IKEv2-PROTO-4: (20060): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(20060): AES-CBC(20060): SHA512(20060): Don't use ESNIKEv2-PROTO-4: (20060): Building packet for encryption.
(20060):
Payload contents:
(20060): VID(20060): Next payload: IDi, reserved: 0x0, length: 20
(20060):
(20060): 84 cd 27 f8 21 10 cb ce 1f 1d 88 4c 12 ea 3c e9
(20060): IDi(20060): Next payload: AUTH, reserved: 0x0, length: 12
(20060): Id type: IPv4 address, Reserved: 0x0 0x0
(20060):
(20060): 50 5e 70 35
(20060): AUTH(20060): Next payload: SA, reserved: 0x0, length: 28
(20060): Auth method PSK, reserved: 0x0, reserved 0x0
(20060): Auth data: 20 bytes
(20060): SA(20060): Next payload: TSi, reserved: 0x0, length: 44
(20060): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(20060): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(20060): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(20060): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(20060): TSi(20060): Next payload: TSr, reserved: 0x0, length: 40
(20060): Num of TSs: 2, reserved 0x0, reserved 0x0
(20060): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(20060): start port: 0, end port: 65535
(20060): start addr: 10.149.112.135, end addr: 10.149.112.135
(20060): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(20060): start port: 0, end port: 65535
(20060): start addr: 10.149.112.128, end addr: 10.149.112.191
(20060): TSr(20060): Next payload: NOTIFY, reserved: 0x0, length: 40
(20060): Num of TSs: 2, reserved 0x0, reserved 0x0
(20060): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(20060): start port: 0, end port: 65535
(20060): start addr: 10.60.190.100, end addr: 10.60.190.100
(20060): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(20060): start port: 0, end port: 65535
(20060): start addr: 10.60.190.0, end addr: 10.60.190.255
(20060): NOTIFY(INITIAL_CONTACT)(20060): Next payload: NOTIFY, reserved: 0x0, length: 8
(20060): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(20060): NOTIFY(ESP_TFC_NO_SUPPORT)(20060): Next payload: NOTIFY, reserved: 0x0, length: 8
(20060): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(20060): NOTIFY(NON_FIRST_FRAGS)(20060): Next payload: NONE, reserved: 0x0, length: 8
(20060): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(20060):
IKEv2-PROTO-4: (20060): Sending Packet [To 100.x.x.x:500/From 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 1
(20060): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: IKE_AUTH, flags: INITIATOR (20060): Message id: 1, length: 284(20060):
Payload contents:
(20060): ENCR(20060): Next payload: VID, reserved: 0x0, length: 256
(20060): Encrypted data: 252 bytes
(20060):
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (20060): Check for EAP exchange
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(20060):
IKEv2-PROTO-4: (20060): Received Packet [From 100.x.x.x:500/To 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 1
(20060): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (20060): Message id: 1, length: 236(20060):
Payload contents:
(20060):
(20060): Decrypted packet:(20060): Data: 236 bytes
(20060): REAL Decrypted packet:(20060): Data: 168 bytes
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (20060): Process auth response notify
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (20060): Searching policy based on peer's identity '100.x.x.x' of type 'IPv4 address'
IKEv2-PLAT-4: (20060): Site to Site connection detected
IKEv2-PLAT-4: (20060): P1 ID = 0
IKEv2-PLAT-4: (20060): Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (20060): Verify peer's policy
IKEv2-PROTO-4: (20060): Peer's policy verified
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (20060): Get peer's authentication method
IKEv2-PROTO-4: (20060): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (20060): Get peer's preshared key for 100.x.x.x
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (20060): Verify peer's authentication data
IKEv2-PROTO-4: (20060): Use preshared key for id 100.x.x.x, key len 24
IKEv2-PROTO-4: (20060): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (20060): Check for EAP exchange
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PLAT-4: (20060): Completed authentication for connection
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (20060): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_SA_TS
IKEv2-PROTO-4: (20060): Processing IKE_AUTH message
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (20060): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2-PROTO-4: (20060): Session with IKE ID PAIR (100.x.x.x, 50.x.x.x) is UP
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-4: (20060): connection auth hdl set to 170
IKEv2-PLAT-4: (20060): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-4: (20060): idle timeout set to: 30
IKEv2-PLAT-4: (20060): session timeout set to: 0
IKEv2-PLAT-4: (20060): group policy set to GroupPolicy_L2L_IKEv2
IKEv2-PLAT-4: (20060): class attr set
IKEv2-PLAT-4: (20060): tunnel protocol set to: 0x40
IKEv2-PLAT-4: (20060): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (20060): group lock set to: none
IKEv2-PLAT-4: (20060): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (20060): connection attributes set valid to TRUE
IKEv2-PLAT-4: (20060): Successfully retrieved conn attrs
IKEv2-PLAT-4: (20060): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (20060): connection auth hdl set to -1
IKEv2-PROTO-4: (20060): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC
IKEv2-PROTO-4: (20060): Load IPSEC key material
IKEv2-PLAT-4: (20060): Base MTU get: 0
IKEv2-PLAT-4: (20060): Queued Outbound PFKEY MSG
IKEv2-PLAT-4: (20060): Base MTU get: 0
IKEv2-PLAT-4: (20060): Queued Inbound PFKEY MSG
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IPSEC: New embryonic SA created @ 0x000000ffc3ceefb0,
SCB : 0xAAFFE320,
Direction : outbound
SPI : 0xC2F6AE76
Session ID : 0x04A7D000
VPIF num : 0x000A0003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
SA handle : 0xD9B2533B
Rule Lookup for local 10.149.112.128 to remote 10.60.190.0
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 3: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 5: no proposals
Crypto map OUTSIDE_map seq 6: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 8: no proposals
Crypto map OUTSIDE_map seq 9: no proposals
Crypto map OUTSIDE_map seq 10: no proposals
Crypto map OUTSIDE_map seq 11: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
PROXY MATCH on crypto map OUTSIDE_map seq 13
IPSEC DEBUG: Using NP outbound permit rule for SPI 0xC2F6AE76
IPSEC: Completed host OBSA update, SPI 0xC2F6AE76
IPSEC: Creating outbound VPN context, SPI 0xC2F6AE76
Flags: 0x00000005
SA : 0x000000ffc3ceefb0
SPI : 0xC2F6AE76
MTU : 1500 bytes
VCID : 0x0000000A
Peer : 0x00000000
SCB : 0x1E13ABCB
Channel: 0x0000005557a3bb80
IPSEC: Completed outbound VPN context, SPI 0xC2F6AE76
VPN handle: 0x000000002a66dc4c
IPSEC: New outbound encrypt rule, SPI 0xC2F6AE76
Src addr: 10.149.112.128
Src mask: 255.255.255.192
Dst addr: 10.60.190.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffaaff85b0
IPSEC: New outbound permit rule, SPI 0xC2F6AE76
Src addr: 50.x.x.x
Src mask: 255.255.255.255
Dst addr: 100.x.x.x
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xC2F6AE76
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffc2b6ac80
IPSEC: New embryonic SA created @ 0x000000ffe3ef4d90,
SCB : 0xE13FB850,
Direction : inbound
SPI : 0xACD0E053
Session ID : 0x04A7D000
VPIF num : 0x000A0003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
SA handle : 0x0B1AD905
Rule Lookup for local 10.149.112.128 to remote 10.60.190.0
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 3: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 5: no proposals
Crypto map OUTSIDE_map seq 6: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
Crypto map OUTSIDE_map seq 8: no proposals
Crypto map OUTSIDE_map seq 9: no proposals
Crypto map OUTSIDE_map seq 10: no proposals
Crypto map OUTSIDE_map seq 11: no proposals
Crypto map: peer 100.x.x.x doesn't match map entry
PROXY MATCH on crypto map OUTSIDE_map seq 13
IPSEC DEBUG: Using NP inbound permit rule for SPI 0xACD0E053
IPSEC: Completed host IBSA update, SPI 0xACD0E053
IPSEC: Creating inbound VPN context, SPI 0xACD0E053
Flags: 0x00000006
SA : 0x000000ffe3ef4d90
SPI : 0xACD0E053
MTU : 0 bytes
VCID : 0x0000000A
Peer : 0x2A66DC4C
SCB : 0x7A34DDFD
Channel: 0x0000005557a3bb80
IPSEC: Completed inbound VPN context, SPI 0xACD0E053
VPN handle: 0x000000002a66fb8c
IPSEC: Updating outbound VPN context 0x2A66DC4C, SPI 0xC2F6AE76
Flags: 0x00000005
SA : 0x000000ffc3ceefb0
SPI : 0xC2F6AE76
MTU : 1500 bytes
VCID : 0x0000000A
Peer : 0x2A66FB8C
SCB : 0x1E13ABCB
Channel: 0x0000005557a3bb80
IPSEC: Completed outbound VPN context, SPI 0xC2F6AE76
VPN handle: 0x000000002a66dc4c
IPSEC: Completed outbound inner rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffaaff85b0
IPSEC: Completed outbound outer SPD rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffc2b6ac80
IPSEC: New inbound tunnel flow rule, SPI 0xACD0E053
Src addr: 10.60.190.0
Src mask: 255.255.255.0
Dst addr: 10.149.112.128
Dst mask: 255.255.255.192
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xACD0E053
Rule ID: 0x000000ffab00ea30
IPSEC: New inbound decrypt rule, SPI 0xACD0E053
Src addr: 100.x.x.x
Src mask: 255.255.255.255
Dst addr: 50.x.x.x
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xACD0E053
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xACD0E053
Rule ID: 0x000000ffa92d0c60
IPSEC: New inbound permit rule, SPI 0xACD0E053
Src addr: 100.x.x.x
Src mask: 255.255.255.255
Dst addr: 50.x.x.x
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xACD0E053
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xACD0E053
Rule ID: 0x000000ffc2f6eee0
IKEv2-PLAT-4: (20060): PSH added CTM sa hdl 186308869
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (20060): SA FO event generated - success
IKEv2-PROTO-4: (20060): DPD timer started for 10 secs
IKEv2-PROTO-7: (20060): Accounting not required
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (20060): Closing the PKI session
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (20060): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (20060): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: READY Event: EV_I_OK
IKEv2-PROTO-7: (20060): Deleting negotiation context for my message ID: 0x1

(20060):
IKEv2-PROTO-4: (20060): Received Packet [From 100.x.x.x:500/To 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 0
(20060): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: INFORMATIONAL, flags: RESPONDER (20060): Message id: 0, length: 76(20060):
Payload contents:
IKEv2-PLAT-4: (20060): Decrypt success status returned via ipc 1
(20060):
(20060): Decrypted packet:(20060): Data: 76 bytes
(20060): REAL Decrypted packet:(20060): Data: 12 bytes
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: READY Event: EV_RECV_INFO_REQ
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_RECV_INFO_REQ
IKEv2-PROTO-4: (20060): Building packet for encryption.
(20060):
Payload contents:
(20060): DELETE(20060): Next payload: NONE, reserved: 0x0, length: 12
(20060): Security protocol id: ESP, spi size: 4, num of spi: 1
(20060):
(20060): ac d0 e0 53
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (20060): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_TRYSEND
(20060):
IKEv2-PROTO-4: (20060): Sending Packet [To 100.x.x.x:500/From 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 0
(20060): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (20060): Message id: 0, length: 76(20060):
Payload contents:
(20060): ENCR(20060): Next payload: DELETE, reserved: 0x0, length: 48
(20060): Encrypted data: 44 bytes
(20060):
IKEv2-PLAT-5: (20060): SENT PKT [INFORMATIONAL] [50.x.x.x]:500->[100.x.x.x]:500 InitSPI=0x86cd26f832273889 RespSPI=0xd92b13b3765eeb57 MID=00000000
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_RECV_DEL
IKEv2-PROTO-4: (20060): Process delete request from peer
IKEv2-PROTO-4: (20060): Processing DELETE INFO message for IPsec SA [SPI: 0xC2F6AE76]
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (20060): Check for existing active SA
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: INFO_R Event: EV_START_DEL_NEG_TMR
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (20060): Sent response with message id 0, Requests can be accepted from range 1 to 1
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: EXIT Event: EV_NO_EVENT
IPSEC DEBUG: Outbound SA (SPI 0xC2F6AE76) destroy started, state active
IPSEC DEBUG: Outbound SA (SPI 0xC2F6AE76) free started, state active
IPSEC DEBUG: Deleting the outbound encrypt rule for SPI 0xC2F6AE76
IPSEC: Deleted outbound encrypt rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffaaff85b0
IPSEC DEBUG: Deleting the outbound permit rule for SPI 0xC2F6AE76
IPSEC: Deleted outbound permit rule, SPI 0xC2F6AE76
Rule ID: 0x000000ffc2b6ac80
IPSEC DEBUG: Deleting the Outbound VPN context for SPI 0xC2F6AE76
IPSEC: Deleted outbound VPN context, SPI 0xC2F6AE76
VPN handle: 0x000000002a66dc4c
IPSEC DEBUG: Inbound SA (SPI 0xACD0E053) destroy started, state active
IPSEC DEBUG: Inbound SA (SPI 0xACD0E053) free started, state active
IPSEC DEBUG: Deleting the inbound decrypt rule for SPI 0xACD0E053
IPSEC: Deleted inbound decrypt rule, SPI 0xACD0E053
Rule ID: 0x000000ffa92d0c60
IPSEC DEBUG: Deleting the inbound permit rule for SPI 0xACD0E053
IPSEC: Deleted inbound permit rule, SPI 0xACD0E053
Rule ID: 0x000000ffc2f6eee0
IPSEC DEBUG: Deleting the inbound tunnel flow rule for SPI 0xACD0E053
IPSEC: Deleted inbound tunnel flow rule, SPI 0xACD0E053
Rule ID: 0x000000ffab00ea30
IPSEC DEBUG: Deleting the Inbound VPN context for SPI 0xACD0E053
IPSEC: Deleted inbound VPN context, SPI 0xACD0E053
VPN handle: 0x000000002a66fb8c
IKEv2-PROTO-7: (20060): Request has mess_id 1; expected 1 through 1

(20060):
IKEv2-PROTO-4: (20060): Received Packet [From 100.x.x.x:500/To 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 1
(20060): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: INFORMATIONAL, flags: RESPONDER (20060): Message id: 1, length: 76(20060):
Payload contents:
IKEv2-PLAT-4: (20060): Decrypt success status returned via ipc 1
(20060):
(20060): Decrypted packet:(20060): Data: 76 bytes
(20060): REAL Decrypted packet:(20060): Data: 8 bytes
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: READY Event: EV_RECV_INFO_REQ
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_RECV_INFO_REQ
IKEv2-PROTO-4: (20060): Building packet for encryption.
(20060):
Payload contents:
(20060): DELETE(20060): Next payload: NONE, reserved: 0x0, length: 8
(20060): Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (20060): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_TRYSEND
(20060):
IKEv2-PROTO-4: (20060): Sending Packet [To 100.x.x.x:500/From 50.x.x.x:500/VRF i0:f0]
(20060): Initiator SPI : 86CD26F832273889 - Responder SPI : D92B13B3765EEB57 Message id: 1
(20060): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (20060): Next payload: ENCR, version: 2.0 (20060): Exchange type: INFORMATIONAL, flags: INITIATOR MSG-RESPONSE (20060): Message id: 1, length: 76(20060):
Payload contents:
(20060): ENCR(20060): Next payload: DELETE, reserved: 0x0, length: 48
(20060): Encrypted data: 44 bytes
(20060):
IKEv2-PLAT-5: (20060): SENT PKT [INFORMATIONAL] [50.x.x.x]:500->[100.x.x.x]:500 InitSPI=0x86cd26f832273889 RespSPI=0xd92b13b3765eeb57 MID=00000001
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_RECV_DEL
IKEv2-PROTO-4: (20060): Process delete request from peer
IKEv2-PROTO-4: (20060): Processing DELETE INFO message for IKEv2 SA [ISPI: 0x86CD26F832273889 RSPI: 0xD92B13B3765EEB57]
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (20060): Check for existing active SA
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_STOP_ACCT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_IPSEC_DEL
IKEv2-PROTO-4: (20060): Delete all IKE SAs
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: INFO_R Event: EV_START_DEL_NEG_TMR
IKEv2-PROTO-7: (20060): Action: Action_Null
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-7: (20060): Sent response with message id 1, Requests can be accepted from range 2 to 2
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000001 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (R) MsgID = 00000000 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-7: (20060): Deleting negotiation context for peer message ID: 0x0
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: READY Event: EV_RECV_DEL
IKEv2-PROTO-7: (20060): SM Trace-> SA: I_SPI=86CD26F832273889 R_SPI=D92B13B3765EEB57 (I) MsgID = 00000001 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (20060): Deleting SA
IKEv2-PLAT-2: (20060): crypto map peer index gets reset for tag OUTSIDE_map and seqno 13
IKEv2-PLAT-4: (20060): IKEv2 session deregistered from session manager. Reason: 4
IKEv2-PLAT-4: (20060): session manager killed ikev2 tunnel. Reason: User Requested
IKEv2-PLAT-4: (20060): Deleted associated IKE flow: OUTSIDE, 50.x.x.x:62465 <-> 100.x.x.x:62465
IKEv2-PLAT-4: (20060): PSHd

dcleanup
IKEv2-PLAT-4: (20060): PSH removed CTM sa hdl 186308869

what sholud i do to bring it up?

the acls are correctly done to allow traffic

thanks for your reply

MaErre21325 · ‎11-29-2021

hi guys,

after a tshoot session, i found the problem was at peer's side and was dued to routing issues, indeed, setting up the vpn in ikeV1, the tunnel went up but i was able to see routing issues.

in ikeV2 the tunnel used to stay up only for few seconds letting us not able to understand the problem.

thanks for your advices

View solution in original post

Marvin Rhoads · ‎11-23-2021

The only thing that jumped out at me in the debug was "IKEv2-PROTO-4: (20060): Process delete request from peer". That seems to indicate the peer is deleting the SA for some reason.

MaErre21325 · ‎11-23-2021

Hi Marvin,

yes, it's strange, i've attached peer's debug that actually shows no issues...

what is strange for me in my log is "IKEv2-PROTO-4: (20060): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5" we are using DH group 14, why it shows dh 5?

Rob Ingram · ‎11-23-2021

@MaErre21325 check the PFS DH group on your side. The peer has been explictly configured as DH group 14 under the crypto map configuration, but your configuration does not state the DH group. However it could be just that you are running a newer ASA version and DH group 14 is the default.

crypto map OUTSIDE_map 13 set pfs

MaErre21325 · ‎11-23-2021

hi @Rob Ingram,

yes, it was the first thing i checked, dh group14 isn't explictly configured because it's the default group for my version 9.14.2.13.

peer has 9.14(2)15 version.

MaErre21325 · ‎11-29-2021

hi guys,

after a tshoot session, i found the problem was at peer's side and was dued to routing issues, indeed, setting up the vpn in ikeV1, the tunnel went up but i was able to see routing issues.

in ikeV2 the tunnel used to stay up only for few seconds letting us not able to understand the problem.

thanks for your advices