01-02-2024 06:13 AM - edited 01-02-2024 06:39 AM
Hello, I'm experiencing disconnections on my IPsec VPN, probably due to a double initiation of Phase 2. Here is an excerpt from the 'show crypto ipsec sa' command.
interface: GigabitEthernet0/0/1
Crypto map tag: VPNMAP, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer x.X.X.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Tunnel61
Crypto map tag: Tunnel61-head-0, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={}
#pkts encaps: 1522, #pkts encrypt: 1522, #pkts digest: 1522
#pkts decaps: 1768, #pkts decrypt: 1768, #pkts verify: 1768
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x6AC9659E(1791583646)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xA65BBC56(2791029846)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9297, flow_id: ESG:7297, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4606650/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6AC9659E(1791583646)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9298, flow_id: ESG:7298, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4607879/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: XX.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Can You please help me and tell me where is the problem ?
Thankyou
01-03-2024 07:19 AM
can I see the config of router or ASA ?
MHM
01-03-2024 07:35 AM
This is the configuration of router show running :
version 15.5
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname XXXX_WH_SaaS_1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 512000
enable secret 5 $1$qyoK$NeNsTMb31WJail7.RDfZQ.
!
no aaa new-model
clock timezone UTC 1 0
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FXXXXXX
!
spanning-tree extend system-id
!
username snuk secret 5 $1$zd0I$yCm8pvklX5MBW3K9bl8dz1
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 1800
crypto isakmp key KFebB9D98kYT892y6xse address 1.1.1.1
!
!
crypto ipsec transform-set TS-ACSEP esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set VPN-ACSEP esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile ACSEP
set transform-set VPN-ACSEP
set pfs group5
!
!
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS-ACSEP
match address VPN-ACSEP
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 102.10.1.1 255.255.255.255
!
interface Tunnel61
ip unnumbered GigabitEthernet0/0/1
tunnel source 2.2.2.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile ACSEP
!
interface GigabitEthernet0/0/0
description ## XXXX_WH_SaaS_Core ##
ip address 3.3.3.3 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
description ## Internet Circuit ##
ip address 2.2.2.2 255.255.255.248
ip nat outside
negotiation auto
crypto map VPNMAP
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description ## XXXX_WH_SaaS Interlink ##
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description ## XXXX_WH_SaaS Interlink ##
ip address 102.10.10.33 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
!
router eigrp 102
network 102.10.0.0 0.0.255.255
!
ip nat inside source route-map internet interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 90.102.6.214 name Internet_Main
ip route 172.27.140.0 255.255.255.0 Tunnel61
!
!
ip access-list extended VPN-ACSEP
permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255
!
access-list 5 permit 102.10.0.0 0.0.255.255
!
route-map internet permit 10
match ip address 5
!
route-map REDI_Static permit 10
match tag 999
!
!
!
control-plane
!
banner motd ^CCC
*********************************************************************
*
W A R N I N G *
*
Only authorised personel can access and only for official purpose. *
Any unauthorised access will be punished by the law. *
All accesses and usages are being logged. *
*
*
*
*********************************************************************
^C
!
line con 0
exec-timeout 5 0
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 5 0
login local
transport input telnet
line vty 5 15
exec-timeout 5 0
login local
transport input telnet
!
!
end
thank you
i think the problem is the 2nd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
but i don't now how to delete it
01-03-2024 07:41 AM
as I thought
you config ACL of IPsec VPN
permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255
and
you config default route for same subnet toward the Tunnel
this make traffic to subnet 172.27.140.0 hit the acl and pass through tunnel.
friend since the tunnel destination is same as set peer of crypto map
then use either tunnel or policy based VPN not both
MHM
01-03-2024 08:06 AM
thank you for response
Indeed, I simply need to remove the ACL.?
01-03-2024 08:10 AM - edited 01-03-2024 08:15 AM
thank you for response
Do I just need to do that?
no permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255
01-03-2024 08:21 AM
Yes friend remove it
Clear crypto isakmp
Clear crypto sa
And then check
MHM
01-08-2024 02:02 AM
hello,
I always have the same issue. I have a request to establish IPsec 0.0.0.0 that triggers with my initial request, causing the VPN to disconnect. Below is the debug
*Jan 6 00:17:55.125 UTC: IPSEC:(SESSION ID = 118) (key_engine) request timer fired: count = 2,
(identity) local= 1.1.1.1:0, remote= 2.2.2.2,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*Jan 6 00:17:55.139 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 6 00:17:55.139 UTC: Delete IPsec SA by DPD, local 1.1.1.1 remote 91.151.67.34 peer port 500
*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,
ug(sa) sa_dest= 1.1.1.1, sa_proto= 50,
sa_spi= 0x940E230A(2483954442),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2,
local_proxy= 102.10.100.0/255.255.255.0/256/0,
remote_proxy= 172.27.140.0/255.255.255.0/256/0
*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi
*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA, sa) sa_dest= 91.151.67.34, sa_proto= 50,
sa_spi= 0x6ACB44B8(1791706296),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2,
local_proxy= 102.10.100.0/255.255.255.0/256/0,
remote_proxy= 172.27.140.0/255.255.255.0/256/0
*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (update_current_outbound_sa) updated peer 91.151.67.34 current outbound sa to SPI 0
*Jan 6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,
(sa) sa_dest= 1.1.1.1, sa_proto= 50,
sa_spi= 0x940E230A(2483954442),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2,
local_proxy= 102.10.100.0/255.255.255.0/256/0,
remote_proxy= 172.27.140.0/255.255.255.0/256/0
*Jan 6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi
*Jan 6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,
(sa) sa_dest= 91.151.67.34, sa_proto= 50,
sa_spi= 0x6ACB44B8(1791706296),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2,
local_proxy= 102.10.100.0/255.255.255.0/256/0,
remote_proxy= 172.27.140.0/255.255.255.0/256/0
*Jan 6 00:17:55.140 UTC: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE
*Jan 6 00:17:55.141 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel61, changed state to down
*Jan 6 00:17:55.144 UTC: IPSEC:(SESSION ID = 118) (ident_update_final_flow_stats) Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x7FAE88AB68D0 ikmp handle 0x80000075
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x240000E7,peer index 0
01-08-2024 02:53 AM
share last config
MHM
01-08-2024 03:33 AM
I restored the same initial configuration since removing 'permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255' did not change anything. I still have a second IPsec request for the IP addresses 0.0.0.0 that occurs after my initial request. After three failed requests with the 0.0.0.0, the connection is reset."
01-08-2024 03:38 AM
if you have VTI and it protect this subnet why you use crypto map to protect same subnet ?
sure you will have two SA
MHM
01-08-2024 04:08 AM
to make it simple to you share your topology let me see why you need two IPsec (VTI and Crypto map) in your case
MHM
01-08-2024 04:19 AM
thank you for answer
I don't need 2 ipsec
How can I delete one?
01-08-2024 04:23 AM
Remove crypto map you add under interfac <- if you want to remove policy based vpn
Shut the tunnel interface <- if you want to remove route based VPN
You have two choices here
MHM
01-08-2024 04:36 AM
thank you for your assistance. I will test it tonight but Which configuration do you think could generate this:
local_proxy = 0.0.0.0/0.0.0.0/256/0, remote_proxy = 0.0.0.0/0.0.0.0/256/0,
crypto map, or tunnel interface?"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide