cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1942
Views
2
Helpful
15
Replies

Problem with 2 times phase 2 Ipsec

darkmen11
Level 1
Level 1

Hello, I'm experiencing disconnections on my IPsec VPN, probably due to a double initiation of Phase 2. Here is an excerpt from the 'show crypto ipsec sa' command.

interface: GigabitEthernet0/0/1
Crypto map tag: VPNMAP, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer x.X.X.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:


inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel61
Crypto map tag: Tunnel61-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={}
#pkts encaps: 1522, #pkts encrypt: 1522, #pkts digest: 1522
#pkts decaps: 1768, #pkts decrypt: 1768, #pkts verify: 1768
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x6AC9659E(1791583646)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0xA65BBC56(2791029846)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9297, flow_id: ESG:7297, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4606650/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6AC9659E(1791583646)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9298, flow_id: ESG:7298, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4607879/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: XX.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

Can You please help me and tell me where is the problem ?

Thankyou

15 Replies 15

can I see the config of router or ASA ?
MHM

This is the configuration of router show running :

version 15.5

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

no platform punt-keepalive disable-kernel-core

!

hostname XXXX_WH_SaaS_1

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

logging buffered 512000

enable secret 5 $1$qyoK$NeNsTMb31WJail7.RDfZQ.

!

no aaa new-model

clock timezone UTC 1 0

clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00

no ip source-route

!

!

!

!

!

!

!

!

!

!

!

 

 

 

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

license udi pid ISR4331/K9 sn FXXXXXX

!

spanning-tree extend system-id

!

username snuk secret 5 $1$zd0I$yCm8pvklX5MBW3K9bl8dz1

!

redundancy

 mode none

!

!

!

!

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 5

 lifetime 1800

crypto isakmp key KFebB9D98kYT892y6xse address 1.1.1.1

!

!

crypto ipsec transform-set TS-ACSEP esp-aes esp-sha-hmac

 mode tunnel

crypto ipsec transform-set VPN-ACSEP esp-aes esp-sha-hmac

 mode tunnel

!

crypto ipsec profile ACSEP

 set transform-set VPN-ACSEP

 set pfs group5

!

!

!

crypto map VPNMAP 10 ipsec-isakmp

 set peer 1.1.1.1

 set transform-set TS-ACSEP

 match address VPN-ACSEP

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

 ip address 102.10.1.1 255.255.255.255

!

interface Tunnel61

 ip unnumbered GigabitEthernet0/0/1

 tunnel source 2.2.2.2

 tunnel mode ipsec ipv4

 tunnel destination 1.1.1.1

 tunnel protection ipsec profile ACSEP

!

interface GigabitEthernet0/0/0

 description ## XXXX_WH_SaaS_Core ##

 ip address 3.3.3.3 255.255.255.240

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 negotiation auto

!

interface GigabitEthernet0/0/1

 description ## Internet Circuit ##

 ip address 2.2.2.2 255.255.255.248

 ip nat outside

 negotiation auto

 crypto map VPNMAP

!

interface GigabitEthernet0/0/2

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet0/1/0

 description ## XXXX_WH_SaaS Interlink ##

 switchport access vlan 20

 switchport mode access

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan20

 description ## XXXX_WH_SaaS Interlink ##

 ip address 102.10.10.33 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

!

!

router eigrp 102

 network 102.10.0.0 0.0.255.255

!

ip nat inside source route-map internet interface GigabitEthernet0/0/1 overload

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 90.102.6.214 name Internet_Main

ip route 172.27.140.0 255.255.255.0 Tunnel61

!

!

ip access-list extended VPN-ACSEP

 permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255

!

access-list 5 permit 102.10.0.0 0.0.255.255

!

route-map internet permit 10

 match ip address 5

!

route-map REDI_Static permit 10

 match tag 999

!

!

!

control-plane

!

banner motd ^CCC

 

*********************************************************************

                                                                    *

                         W  A  R  N  I  N  G                        *

                                                                    *

 Only authorised personel can access and only for official purpose. *

     Any unauthorised access will be punished by the law.           *

          All accesses and usages are being logged.                 *

                                                                    *

                                                    *

                                                                    *

*********************************************************************

^C

!

line con 0

 exec-timeout 5 0

 login local

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 exec-timeout 5 0

 login local

 transport input telnet

line vty 5 15

 exec-timeout 5 0

 login local

 transport input telnet

!

!

end

 

thank you

i think the problem is the 2nd 

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

but i don't now how to delete it

as I thought 
you config ACL of IPsec VPN 

 permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255
and 
you config default route for same subnet toward the Tunnel 

this make traffic to subnet 172.27.140.0  hit the acl and pass through tunnel. 
friend since the tunnel destination is same as set peer of crypto map
then use either tunnel or policy based VPN not both

MHM

thank you for response

Indeed, I simply need to remove the ACL.?

 
 
 

thank you for response

Do I just need to do that?

no permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255

 

Yes friend remove it 

Clear crypto isakmp 

Clear crypto sa 

And then check

MHM

darkmen11
Level 1
Level 1

hello,

 

I always have the same issue. I have a request to establish IPsec 0.0.0.0 that triggers with my initial request, causing the VPN to disconnect. Below is the debug

*Jan  6 00:17:55.125 UTC: IPSEC:(SESSION ID = 118) (key_engine) request timer fired: count = 2,

  (identity) local= 1.1.1.1:0, remote= 2.2.2.2,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

*Jan  6 00:17:55.139 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jan  6 00:17:55.139 UTC: Delete IPsec SA by DPD, local 1.1.1.1 remote 91.151.67.34 peer port 500

*Jan  6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

  ug(sa) sa_dest= 1.1.1.1, sa_proto= 50,

    sa_spi= 0x940E230A(2483954442),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 1.1.1.1:0, remote= 2.2.2.2,

    local_proxy= 102.10.100.0/255.255.255.0/256/0,

    remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan  6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi

*Jan  6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,                                                                                                                                                             sa) sa_dest= 91.151.67.34, sa_proto= 50,

    sa_spi= 0x6ACB44B8(1791706296),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 1.1.1.1:0, remote= 2.2.2.2,

    local_proxy= 102.10.100.0/255.255.255.0/256/0,

    remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan  6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (update_current_outbound_sa) updated peer 91.151.67.34 current outbound sa to SPI 0

*Jan  6 00:17:55.139 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

  (sa) sa_dest= 1.1.1.1, sa_proto= 50,

    sa_spi= 0x940E230A(2483954442),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2231

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 1.1.1.1:0, remote= 2.2.2.2,

    local_proxy= 102.10.100.0/255.255.255.0/256/0,

    remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan  6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) SA found saving DEL kmi

*Jan  6 00:17:55.140 UTC: IPSEC:(SESSION ID = 118) (delete_sa) deleting SA,

  (sa) sa_dest= 91.151.67.34, sa_proto= 50,

    sa_spi= 0x6ACB44B8(1791706296),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2232

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 1.1.1.1:0, remote= 2.2.2.2,

    local_proxy= 102.10.100.0/255.255.255.0/256/0,

    remote_proxy= 172.27.140.0/255.255.255.0/256/0

*Jan  6 00:17:55.140 UTC: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE

*Jan  6 00:17:55.141 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel61, changed state to down

*Jan  6 00:17:55.144 UTC: IPSEC:(SESSION ID = 118) (ident_update_final_flow_stats) Collect Final Stats and update MIB

IPSEC get IKMP peer index from peer 0x7FAE88AB68D0 ikmp handle 0x80000075

IPSEC IKMP peer index 0

[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x240000E7,peer index 0


share last config 
MHM

darkmen11
Level 1
Level 1

I restored the same initial configuration since removing 'permit ip 102.10.100.0 0.0.0.255 172.27.140.0 0.0.0.255' did not change anything. I still have a second IPsec request for the IP addresses 0.0.0.0 that occurs after my initial request. After three failed requests with the 0.0.0.0, the connection is reset."

if you have VTI and it protect this subnet why you use crypto map to protect same subnet ?
sure you will have two SA 
MHM

to make it simple to you share your topology let me see why you need two IPsec (VTI and Crypto map) in your case 
MHM

darkmen11
Level 1
Level 1

thank you for answer

I don't need 2 ipsec

How can I delete one?

Remove crypto map you add under interfac <- if you want to remove policy based vpn

Shut the tunnel interface <- if you want to remove route based VPN

You have two choices here

MHM

darkmen11
Level 1
Level 1

thank you for your assistance. I will test it tonight but Which configuration do you think could generate this:

local_proxy = 0.0.0.0/0.0.0.0/256/0, remote_proxy = 0.0.0.0/0.0.0.0/256/0,

crypto map, or tunnel interface?"