Problem with ASA VPN to Azure "Received a DELETE PFKey message from IKE for an inbound SA"

baskervi · ‎08-14-2018

First, thanks for any suggestions. I'm stumped at this point.

"debug crypto ips 127" yields the following, and it continues repeating over an over. The only thing that seem important is the message "IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA".

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=172.16.9.198, sport=256, daddr=172.50.1.5, dport=256
IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 5: skipping because 5-tuple does not match ACL ACL5
...

IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 99: skipping because 5-tuple does not match ACL ACL99
IPSEC(crypto_map_check)-3: Checking crypto map CRYPTOMAP 150: matched.
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xC995E875)

IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free completed
IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy completed
...
<continues repeating the above>
...

Packet-tracer yield the following. I found few hits on Google, but I did see https://community.cisco.com/t5/vpn-and-anyconnect/site-to-site-vpn-between-asa-9-9-1-and-bintec-router/m-p/3230693. I put the nat statement for this tunnel at the very top of the list, but it didn't help. The parameters in phase 13 look good, but the ASA drops the packets. Any clue as to what is going on?

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad7f32cd0, priority=1, domain=permit, deny=false
hits=13878009971, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.1 using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 172.50.1.5/443 to 172.50.1.5/443

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.9.198 using egress ifc inside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface inside
access-list INSIDE remark Permit all other traffic from inside interface
access-list INSIDE extended permit ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad873c690, priority=13, domain=permit, deny=false
hits=45569604, user_data=0x2aaacdad3540, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.9.198/50000 to 172.16.9.198/50000
Forward Flow based lookup yields rule:
in id=0x2aaadad6bc80, priority=6, domain=nat, deny=false
hits=26433, user_data=0x2aaadaace9a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac927a3c0, priority=1, domain=nat-per-session, deny=true
hits=168128170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad7f3bb00, priority=0, domain=inspect-ip-options, deny=true
hits=56989875, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr-redirect
policy-map global_policy
class sfr
sfr fail-open monitor-only
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadb037b30, priority=71, domain=sfr, deny=false
hits=50429730, user_data=0x2aaada45d390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map class_http
match port tcp eq https
policy-map global_policy
class class_http
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaada452cf0, priority=70, domain=inspect-http, deny=false
hits=39394070, user_data=0x2aaada451590, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad848c460, priority=20, domain=lu, deny=false
hits=44831731, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaada31b840, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=50528167, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 13
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaadaeb7220, priority=70, domain=encrypt, deny=false
hits=213, user_data=0x0, cs_id=0x2aaada27ddd0, reverse, flags=0x0, protocol=0
src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Mohammed al Baqari · ‎08-15-2018

run debug crypto isa 127. This is the right debug