Problem with 2 times phase 2 Ipsec

darkmen11 · ‎01-02-2024

Hello, I'm experiencing disconnections on my IPsec VPN, probably due to a double initiation of Phase 2. Here is an excerpt from the 'show crypto ipsec sa' command.

interface: GigabitEthernet0/0/1
Crypto map tag: VPNMAP, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer x.X.X.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel61
Crypto map tag: Tunnel61-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={}
#pkts encaps: 1522, #pkts encrypt: 1522, #pkts digest: 1522
#pkts decaps: 1768, #pkts decrypt: 1768, #pkts verify: 1768
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x6AC9659E(1791583646)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0xA65BBC56(2791029846)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9297, flow_id: ESG:7297, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4606650/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6AC9659E(1791583646)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9298, flow_id: ESG:7298, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4607879/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: XX.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Can You please help me and tell me where is the problem ?

Thankyou

MHM Cisco World · ‎01-03-2024

can I see the config of router or ASA ?
MHM

darkmen11 · ‎01-03-2024

This is the configuration of router show running :

version 15.5

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

no platform punt-keepalive disable-kernel-core

!

hostname XXXX_WH_SaaS_1

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

logging buffered 512000

enable secret 5 $1$qyoK$NeNsTMb31WJail7.RDfZQ.

!

no aaa new-model

clock timezone UTC 1 0

clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00

no ip source-route

!

subscriber templating

!

multilink bundle-name authenticated

!

license udi pid ISR4331/K9 sn FXXXXXX

!

spanning-tree extend system-id

!

username snuk secret 5 $1$zd0I$yCm8pvklX5MBW3K9bl8dz1

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

lifetime 1800

crypto isakmp key KFebB9D98kYT892y6xse address 1.1.1.1

!

crypto ipsec transform-set TS-ACSEP esp-aes esp-sha-hmac

mode tunnel

crypto ipsec transform-set VPN-ACSEP esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile ACSEP

set transform-set VPN-ACSEP

set pfs group5

!

crypto map VPNMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set TS-ACSEP

match address VPN-ACSEP

!

interface Loopback0

ip address 102.10.1.1 255.255.255.255

!

interface Tunnel61

ip unnumbered GigabitEthernet0/0/1

tunnel source 2.2.2.2

tunnel mode ipsec ipv4

tunnel destination 1.1.1.1

tunnel protection ipsec profile ACSEP

!

interface GigabitEthernet0/0/0

description ## XXXX_WH_SaaS_Core ##

ip address 3.3.3.3 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

negotiation auto

!

interface GigabitEthernet0/0/1

description ## Internet Circuit ##

ip address 2.2.2.2 255.255.255.248

ip nat outside

negotiation auto

crypto map VPNMAP

!

interface GigabitEthernet0/0/2

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0/1/0

description ## XXXX_WH_SaaS Interlink ##

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

interface Vlan1

no ip address

shutdown

!

interface Vlan20

description ## XXXX_WH_SaaS Interlink ##

ip address 102.10.10.33 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

!

router eigrp 102

network 102.10.0.0 0.0.255.255

!

ip nat inside source route-map internet interface GigabitEthernet0/0/1 overload

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 90.102.6.214 name Internet_Main

ip route 172.27.140.0 255.255.255.0 Tunnel61

!

ip access-list extended VPN-ACSEP

permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255

!

access-list 5 permit 102.10.0.0 0.0.255.255

!

route-map internet permit 10

match ip address 5

!

route-map REDI_Static permit 10

match tag 999

!

control-plane

!

banner motd ^CCC

*********************************************************************

*

W A R N I N G *

*

Only authorised personel can access and only for official purpose. *

Any unauthorised access will be punished by the law. *

All accesses and usages are being logged. *

*

*********************************************************************

^C

!

line con 0

exec-timeout 5 0

login local

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 5 0

login local

transport input telnet

line vty 5 15

exec-timeout 5 0

login local

transport input telnet

!

end

thank you

i think the problem is the 2nd

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

but i don't now how to delete it

MHM Cisco World · ‎01-03-2024

as I thought
you config ACL of IPsec VPN

permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255
and
you config default route for same subnet toward the Tunnel

this make traffic to subnet 172.27.140.0 hit the acl and pass through tunnel.
friend since the tunnel destination is same as set peer of crypto map
then use either tunnel or policy based VPN not both

MHM

darkmen11 · ‎01-03-2024

thank you for response

Indeed, I simply need to remove the ACL.?

darkmen11 · ‎01-03-2024

thank you for response

Do I just need to do that?

no permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255

MHM Cisco World · ‎01-03-2024

Yes friend remove it

Clear crypto isakmp

Clear crypto sa

And then check

MHM

darkmen11 · ‎01-08-2024

hello,

I always have the same issue. I have a request to establish IPsec 0.0.0.0 that triggers with my initial request, causing the VPN to disconnect. Below is the debug

*Jan 6 00:17:55.125 UTC: IPSEC:(SESSION ID = 118) (key_engine) request timer fired: count = 2,

(identity) local= 1.1.1.1:0, remote= 2.2.2.2,

local_proxy= 0.0.0.0/0.0.0.0/256/0,

remote_proxy= 0.0.0.0/0.0.0.0/256/0

*Jan 6 00:17:55.139 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jan 6 00:17:55.139 UTC: Delete IPsec SA by DPD, local 1.1.1.1 remote 91.151.67.34 peer port 500

*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

ug(sa) sa_dest= 1.1.1.1, sa_proto= 50,

sa_spi= 0x940E230A(2483954442),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 1.1.1.1:0, remote= 2.2.2.2,

local_proxy= 102.10.100.0/255.255.255.0/256/0,

remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi

*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA, sa) sa_dest= 91.151.67.34, sa_proto= 50,

sa_spi= 0x6ACB44B8(1791706296),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 1.1.1.1:0, remote= 2.2.2.2,

local_proxy= 102.10.100.0/255.255.255.0/256/0,

remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (update_current_outbound_sa) updated peer 91.151.67.34 current outbound sa to SPI 0

*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

(sa) sa_dest= 1.1.1.1, sa_proto= 50,

sa_spi= 0x940E230A(2483954442),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 1.1.1.1:0, remote= 2.2.2.2,

local_proxy= 102.10.100.0/255.255.255.0/256/0,

remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan 6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi

*Jan 6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

(sa) sa_dest= 91.151.67.34, sa_proto= 50,

sa_spi= 0x6ACB44B8(1791706296),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= 1.1.1.1:0, remote= 2.2.2.2,

local_proxy= 102.10.100.0/255.255.255.0/256/0,

remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan 6 00:17:55.140 UTC: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE

*Jan 6 00:17:55.141 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel61, changed state to down

*Jan 6 00:17:55.144 UTC: IPSEC:(SESSION ID = 118) (ident_update_final_flow_stats) Collect Final Stats and update MIB

IPSEC get IKMP peer index from peer 0x7FAE88AB68D0 ikmp handle 0x80000075

IPSEC IKMP peer index 0

[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x240000E7,peer index 0

MHM Cisco World · ‎01-08-2024

share last config
MHM

darkmen11 · ‎01-08-2024

I restored the same initial configuration since removing 'permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255' did not change anything. I still have a second IPsec request for the IP addresses 0.0.0.0 that occurs after my initial request. After three failed requests with the 0.0.0.0, the connection is reset."

MHM Cisco World · ‎01-08-2024

if you have VTI and it protect this subnet why you use crypto map to protect same subnet ?
sure you will have two SA
MHM

MHM Cisco World · ‎01-08-2024

to make it simple to you share your topology let me see why you need two IPsec (VTI and Crypto map) in your case
MHM

darkmen11 · ‎01-08-2024

thank you for answer

I don't need 2 ipsec

How can I delete one?

MHM Cisco World · ‎01-08-2024

Remove crypto map you add under interfac <- if you want to remove policy based vpn

Shut the tunnel interface <- if you want to remove route based VPN

You have two choices here

MHM

darkmen11 · ‎01-08-2024

thank you for your assistance. I will test it tonight but Which configuration do you think could generate this:

local_proxy = 0.0.0.0/0.0.0.0/256/0, remote_proxy = 0.0.0.0/0.0.0.0/256/0,

crypto map, or tunnel interface?"