2156
Views
0
Helpful
3
Replies
Site to Site Tunnel using Cisco CSR in AWS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2019
06:39 AM
- last edited on
02-24-2020
11:17 AM
by
Monica Lluis
Having difficulties bringing up Site to Site Tunnel deployed to AWS using Cisco CSR. Permit inbound TCP 22, UDP 500, and UDP 4500 (with source IP's defined to restrict who/what can hit the appliance). The core issue is that phase 1 doesn't appear to be working (sh crypto ikev2 sa does not yield any output) and actively reviewing debug logs to identify the issue. Any assistance would be appreciated.
------------------ show crypto isakmp sa count ------------------
Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
------------------ show crypto ipsec sa count ------------------
IPsec SA total: 0, active: 0, rekeying: 0, unused: 0, invalid: 0
------------------ show crypto isakmp sa detail ------------------
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
------------------ show crypto ipsec sa detail ------------------
interface: GigabitEthernet1
Crypto map tag: AEMOVPN, local addr 172.17.130.243
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.59/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 2, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.33/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.22/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 4, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.5/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 3, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.4/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.3/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.2/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 4, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.1/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 104, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.0/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.0/255.255.255.0/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.254/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 10, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.130.243/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (146.178.211.252/255.255.255.255/0/0)
current_peer 202.44.76.10 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.76.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 172.17.130.243, remote crypto endpt.: 202.44.78.10
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
------------------ show crypto session summary ------------------
------------------ show crypto session detail ------------------
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN
Interface: GigabitEthernet1
Session status: DOWN
Peer: 202.44.76.10 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.59
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 2 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.33
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.22
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 4 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.5
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 3 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.4
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.3
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.2
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 4 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.1
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 104 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 146.178.211.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.254
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 10 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 172.17.130.243 host 146.178.211.252
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1 life (KB/Sec) 0/0
------------------ show crypto isakmp peers ------------------
------------------ show crypto ruleset detail ------------------
Mtree:
------------------ show processes memory 400 ------------------
Tracekey : 1#456e8ad4e4c88bd4419479abe3ce67e9
Process ID: 400
Process Name: Crypto IKMP
Total Memory Held: 94752 bytes
Processor memory Holding = 94752 bytes
size = 52192, count = 1, pc = :56108B51A000+31C9D20
size = 32864, count = 1, pc = iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+2E235C
size = 5048, count = 1, pc = :56108B51A000+49324AC
size = 2032, count = 1, pc = :56108B51A000+49324CC
size = 1304, count = 1, pc = :56108B51A000+7313E7C
size = 448, count = 1, pc = :56108B51A000+730A608
size = 296, count = 2, pc = :56108B51A000+72BC7BB
size = 256, count = 1, pc = iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+23A91E
size = 160, count = 1, pc = :56108B51A000+5EDF7F6
size = 152, count = 1, pc = iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+23A8FE
lsmpi_io memory Holding = 0 bytes
------------------ show processes 400 ------------------
Process ID 400 [Crypto IKMP], TTY 0
Memory usage [in bytes]
Holding: 94752, Maximum: 94752, Allocated: 41256, Freed: 1688
Getbufs: 0, Retbufs: 0, Stack: 40776/48000
CPU usage
PC: 7F3B8C4F9C45, Invoked: 5, Giveups: 1, uSec: 200
5Sec: 0.00%, 1Min: 0.00%, 5Min: 0.00%, Average: 0.00%
Age: 84748361 msec, Runtime: 1 msec
State: Waiting for Event, Priority: Normal
------------------ show crypto eli all ------------------
Hardware Encryption : ACTIVE
Number of crypto engines = 2
CryptoEngine IOSXE-ESP(9) details: state = Active
Capability : DES, 3DES, AES, GCM, GMAC, IPv6, GDOI, FAILCLOSE
IPSec-Session : 0 active, 40958 max, 0 failed
CryptoEngine Software Crypto Engine details: state = Active
Capability : IPPCP, DES, 3DES, AES, SEAL, GCM, GMAC, RSA, IPv6, GDOI, FAILCLOSE, HA
IKE-Session : 0 active, 41058 max, 0 failed
IKEv2-Session : 0 active, 41058 max, 0 failed
DH : 1 active, 20529 max, 0 failed
IPSec-Session : 0 active, 1000 max, 0 failed
SSL support : Yes
SSL versions : SSLv3.0, TLSv1.0, DTLSv1.0, DTLS-pre-rfc,
TLSv1.1, TLSv1.2
Max SSL connec: 1000
SSL namespace : 1
SSLv3.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
DTLSv1.0 suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
------------------ show cry engine accelerator statistic ------------------
------------------ show crypto eli all ------------------
Hardware Encryption : ACTIVE
Number of crypto engines = 2
CryptoEngine IOSXE-ESP(9) details: state = Active
Capability : DES, 3DES, AES, GCM, GMAC, IPv6, GDOI, FAILCLOSE
IPSec-Session : 0 active, 40958 max, 0 failed
CryptoEngine Software Crypto Engine details: state = Active
Capability : IPPCP, DES, 3DES, AES, SEAL, GCM, GMAC, RSA, IPv6, GDOI, FAILCLOSE, HA
IKE-Session : 0 active, 41058 max, 0 failed
IKEv2-Session : 0 active, 41058 max, 0 failed
DH : 1 active, 20529 max, 0 failed
IPSec-Session : 0 active, 1000 max, 0 failed
SSL support : Yes
SSL versions : SSLv3.0, TLSv1.0, DTLSv1.0, DTLS-pre-rfc,
TLSv1.1, TLSv1.2
Max SSL connec: 1000
SSL namespace : 1
SSLv3.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
DTLSv1.0 suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
------------------ show platform hardware chassis active qfp datapath utilization ------------------
------------------ show platform hardware chassis active qfp statistics drop ------------------
------------------ show platform hardware crypto-device status ------------------
Software crypto if functional
Crypto Device Version:
Cisco cd_sw_ipsec version 1.0
Cisco cd_sw_crypto: version 2.0 Compiled on Thu 19 Jul 2018 04:31:02 PM PDT by mlou (AES-NI test_done=1 available=1)
------------------ show platform hardware crypto-device statistics ------------------
Forwarding Manager Encryption-processor Statistics
(P) - # of packets; (B) - # of bytes
STX1 disabled
OK SPI1 RX(P) : 0, OK SPI1 RX(B) : 0
ERR SPI1 RX(P) : 0
DROP SPI1 RX(P) : 0, DROP SPI1 RX(B) : 0
OK PCI RX(P) : 0, OK PCI RX(B) : 0
PROCESSED(P) : 0, PROCESSED(B) : 0
ENCRYPTED(P) : 0, ENCRYPTED(B) : 0
DECRYPTED(P) : 0, DECRYPTED(B) : 0
GEN. PURPOSE(P) : 0, GEN. PURPOSE(B) : 0
------------------ show platform software cpu alloc ------------------
CPU alloc information:
Control plane cpu alloc: 0
Data plane cpu alloc: 1
Service plane cpu alloc: 0
Template used: None
------------------ show platform software system processor ------------------
Number of Processors : 2
Processor : 1 - 2
vendor_id : GenuineIntel
cpu MHz : 2300.070
cache size : 46080 KB
Crypto Supported : Yes
model name : Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
------------------ show cry isakmp diagnose error ------------------
Exit Path Table - status: enable, current entry 1, deleted 0, max allow 50
Error(2): No SA found, ignore request to send delete.
local 172.17.130.243/0 remote 202.44.76.10/0 fvrf 0x0 ivrf 0x0 for SPI 0x80007F
-Traceback= 1#456e8ad4e4c88bd4419479abe3ce67e9 iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+2E3023 iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+2CFF7A iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+33CA70 iosd_shr_m_uk9_IPSEC_Core_crb:7F3B8C232000+2C7DFC
------------------ show cry isakmp diagnose error count ------------------
Exit Trace counters
2 - No SA found, ignore request to send delete.
8 - Failed to delete policy.
------------------ show crypto call admission statistics ------------------
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
------------------ show crypto ikev2 stats ------------------
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0 negotiating: 0
Incoming IKEv2 Requests: 0 accepted: 0 rejected: 0
Outgoing IKEv2 Requests: 87 accepted: 87 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
------------------ show crypto ikev2 stats exchange detailed ------------------
--------------------------------------------------------------------------
EXCHANGE/NOTIFY TX(REQ) TX(RES) RX(REQ) RX(RES)
EXCHANGES
IKE_SA_INIT 87 0 0 87
IKE_AUTH 87 0 0 87
CREATE_CHILD_SA 0 0 0 0
CREATE_CHILD_SA_IPSEC 0 0 0 0
CREATE_CHILD_SA_IPSEC_REKEY 0 0 0 0
CREATE_CHILD_SA_IKE_REKEY 0 0 0 0
GSA_AUTH 0 0 0 0
GSA_REGISTRATION 0 0 0 0
GSA_REKEY 0 0 0 0
GSA_REKEY_ACK 0 0 0 0
INFORMATIONAL 166 0 0 166
ERROR NOTIFY
UNSUPPORTED_CRITICAL_PAYLOAD 0 0 0 0
INVALID_IKE_SPI 0 0 0 0
INVALID_MAJOR_VERSION 0 0 0 0
INVALID_SYNTAX 0 0 0 0
INVALID_MESSAGE_ID 0 0 0 0
INVALID_SPI 0 0 0 0
NO_PROPOSAL_CHOSEN 0 0 0 83
INVALID_KE_PAYLOAD 0 0 0 0
AUTHENTICATION_FAILED 0 0 0 4
SINGLE_PAIR_REQUIRED 0 0 0 0
NO_ADDITIONAL_SAS 0 0 0 0
INTERNAL_ADDRESS_FAILURE 0 0 0 0
FAILED_CP_REQUIRED 0 0 0 0
TS_UNACCEPTABLE 0 0 0 0
INVALID_SELECTORS 0 0 0 0
OTHER NOTIFY
INITIAL_CONTACT 87 0 0 0
SET_WINDOW_SIZE 87 0 0 0
ADDITIONAL_TS_POSSIBLE 0 0 0 0
IPCOMP_SUPPORTED 0 0 0 0
NAT_DETECTION_SOURCE_IP 87 0 0 87
NAT_DETECTION_DESTINATION_IP 87 0 0 87
COOKIE 0 0 0 0
USE_TRANSPORT_MODE 1 0 0 0
HTTP_CERT_LOOKUP_SUPPORTED 0 0 0 87
REKEY_SA 0 0 0 0
ESP_TFC_PADDING_NOT_SUPPORTED 0 0 0 0
DELETE_REASON 0 0 0 0
CUSTOM 0 0 0 0
REDIRECT_SUPPORTED 0 0 0 0
REDIRECT 0 0 0 0
REDIRECTED_FROM 0 0 0 0
DPD 0 0 0 0
CONFIG PAYLOAD TYPE TX RX
CFG_REQUEST 4 0
CFG_REPLY 0 0
CFG_SET 0 0
CFG_ACK 0 0
OTHER COUNTERS
NAT_INSIDE 87
NAT_OUTSIDE 0
NO_NAT 0
--------------------------------------------------------------------------
------------------ show crypto ikev2 stats ext-service ------------------
--------------------------------------------------------------
AAA OPERATION PASSED FAILED
--------------------------------------------------------------
RECEIVING PSKEY 0 0
AUTHENTICATION USING EAP 0 0
START ACCOUNTING 0 0
STOP ACCOUNTING 0 0
AUTHORIZATION 0 0
--------------------------------------------------------------
IPSEC OPERATION PASSED FAILED
--------------------------------------------------------------
IPSEC POLICY VERIFICATION 0 0
SA CREATION 0 0
SA DELETION 0 0
---------------------------------------------------------------
CRYPTO ENGINE OPERATION PASSED FAILED
---------------------------------------------------------------
DH PUBKEY GENERATED 87 0
DH SHARED SECKEY GENERATED 87 0
SIGNATURE SIGN 0 0
SIGNATURE VERIFY 0 0
--------------------------------------------------------------
PKI OPERATION PASSED FAILED
--------------------------------------------------------------
VERIFY CERTIFICATE 0 0
FETCHING CERTIFICATE USING HTTP 0 0
FETCHING PEER CERTIFICATE USING HTTP 0 0
GET ISSUERS 0 0
GET CERTIFICATES FROM ISSUERS 0 0
GET DN FROM CERT 0 0
--------------------------------------------------------------
GKM OPERATION PASSED FAILED
--------------------------------------------------------------
GET_POLICY 0 0
SET_POLICY 0 0
------------------ show crypto ikev2 diagnose error-count ------------------
------------------ show crypto ikev2 stats priority-queue ------------------
----------------------------------------------------
IKEV2 PRIORITY QUEUE SIZE PEAK
----------------------------------------------------
HIGHEST 0 1
HIGHER 0 0
HIGH 0 1
NORMAL 0 1
LOW 0 1
LOWER 0 0
LOWEST 0 2
------------------ show crypto ikev2 stats reconnect ------------------
Total incoming reconnect connection: 0
Success reconnect connection: 0
Failed reconnect connection: 0
Reconnect capable active session count: 0
Reconnect capable inactive session count: 0
------------------ show crypto ikev2 sa detailed ------------------
------------------ show crypto ikev2 cluster ------------------
------------------ show crypto ikev2 session detailed ------------------
------------------ show monitor event-trace crypto merged all ------------------
*Sep 26 13:58:19.901: pki_event: EST client initialized.
*Sep 26 13:58:39.944: pki_error: PKI timers have not been initialized due to non-authoritative system clock. Ensure system clock is configured/updated.
*Sep 26 13:58:39.945: pki_event: EST client process started.
*Sep 26 14:10:26.670: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:10:27.249: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:10:56.672: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:10:57.251: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:11:26.673: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:11:27.253: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:11:56.672: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:11:57.251: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:12:26.672: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:12:27.337: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:22:18.261: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.1/0/25
6
*Sep 26 14:22:18.964: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:27:23.402: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:27:23.978: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:27:53.402: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:27:54.232: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:28:23.402: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:28:23.979: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:28:53.403: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:28:53.980: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:29:23.403: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:29:23.983: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:32:59.459: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.2/0/25
6
*Sep 26 14:33:00.110: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:33:15.028: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.3/0/25
6
*Sep 26 14:33:15.608: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:33:28.967: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.4/0/25
6
*Sep 26 14:33:29.586: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:33:43.316: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.22/0/2
56
*Sep 26 14:33:44.095: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:33:45.028: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.3/0/25
6
*Sep 26 14:33:45.645: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:33:58.968: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.4/0/25
6
*Sep 26 14:33:59.549: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:13.316: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.22/0/2
56
*Sep 26 14:34:14.072: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:15.029: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.3/0/25
6
*Sep 26 14:34:15.746: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:28.966: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.4/0/25
6
*Sep 26 14:34:29.547: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:43.315: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.22/0/2
56
*Sep 26 14:34:44.106: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:45.027: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.3/0/25
6
*Sep 26 14:34:45.627: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:34:58.967: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.4/0/25
6
*Sep 26 14:34:59.551: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:35:13.316: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.22/0/2
56
*Sep 26 14:35:13.994: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:35:15.911: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.3/0/25
6
*Sep 26 14:35:16.493: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:35:28.968: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.4/0/25
6
*Sep 26 14:35:29.548: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:35:43.318: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.22/0/2
56
*Sep 26 14:35:43.896: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:37:27.991: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.33/0/2
56
*Sep 26 14:37:28.572: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:37:54.172: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.59/0/2
56
*Sep 26 14:37:54.750: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:37:57.992: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.33/0/2
56
*Sep 26 14:37:58.572: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:38:24.171: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.59/0/2
56
*Sep 26 14:38:24.748: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:38:27.992: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
engine->Crypto IKEv2:KEY_ENG_REQUEST_SAS, loc: 172.17.130.243, rem:
202.44.76.10, l_proxy: 172.17.130.243/0/256, r_proxy: 146.178.211.33/0/2
56
*Sep 26 14:38:28.578: ikev2_error: SA ID:1 SESSION ID:1 Remote: 202.44.76.10/4500 Local: 172.17.130.243/450
0
*Sep 26 14:38:54.170: ipsec_event: IPSEC-EVENT:IPSEC-SEND-KMI: Session ID : 1, KMI Sent: IPSEC key
------------------ show crypto gdoi ------------------
------------------ show crypto gdoi rekey sa ------------------
GETVPN REKEY SA
dst src conn-id status
------------------ show crypto gdoi rekey sa detail ------------------
KEK SA DB STATS:
num_active = 0
num_malloc = 0
num_free = 0
------------------ show crypto gdoi gm ------------------
------------------ show crypto gdoi gm acl ------------------
------------------ show crypto gdoi gm pubkey ------------------
------------------ show crypto gdoi gm rekey detail ------------------
------------------ show crypto gdoi gm replay ------------------
------------------ show crypto gdoi ipsec sa ------------------
------------------ show crypto gdoi ks ------------------
Total group members registered to this box: 0
------------------ show crypto gdoi ks acl ------------------
------------------ show crypto gdoi ks coop ------------------
------------------ show crypto gdoi ks coop version ------------------
Cooperative key server infra Version : 2.0.0
Client : KS_POLICY_CLIENT Version : 2.0.0
Client : GROUP_MEMBER_CLIENT Version : 2.0.1
Client : SID_CLIENT Version : 1.0.1
------------------ show crypto gdoi ks identifier detail ------------------
------------------ show crypto gdoi ks member ------------------
Group Member Information :
------------------ show crypto gdoi ks policy ------------------
------------------ show crypto gdoi ks rekey ------------------
------------------ show crypto gdoi ks replay ------------------
------------------ show crypto gdoi diagnose events ------------------
------------------ show crypto gdoi diagnose errors recent ------------------
Labels:
- Labels:
-
IPSEC
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2019 09:06 AM
latest round of debugging showed the following when I ran sh cry tech-support from another window:
*Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:04.218: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description *Sep 27 16:02:06.397: ISAKMP-ERROR: (0):No peer struct to get peer description
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2019 11:43 AM
You mention you permitted "Permit inbound TCP 22, UDP 500, and UDP 4500" is there a firewall/router in front of the CSR doing NAT? If not you would need to permit ESP
Please provide the full configuration of both ends of the VPN tunnel. Also provide the output full debugs of ikev2/isakmp. Provide these output as attachments rather than in the body of the message, makes it easier.
Please provide the full configuration of both ends of the VPN tunnel. Also provide the output full debugs of ikev2/isakmp. Provide these output as attachments rather than in the body of the message, makes it easier.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2019 07:02 AM
Router is hosted in AWS, the ports mentioned are part of a security group associated with the instance. Attached are the debugs and config from my side. Fairly certain ESP needs to be added, but doing so via AWS security group (port 50) doesn't seem to work. I'm guessing ICMP will also need to be enabled in order to verify?
