Site-To-Site VPN cisco ASA to Cisco ASR phase 1 down

ezzaariyouness · ‎05-05-2023

Hello everyone,

I'm trying to set up a site-to-site VPN from cisco ASA to Cisco ASR but Phase 1 is down, I check the Phase 1 parameter is ok even though the Key is correct.

I attached the config and error message that I'm getting from the ASDM

can You help me fix this issue .

Best regards

Younes

MHM Cisco World · ‎05-05-2023

Point to check

1- are you config right dh group and prf in ASR

2- in asa config group-policy with vpn tunnel ikev2

3- in asa are enable ikev2 in asa outside interface

ezzaariyouness · ‎05-05-2023

1- yes Group and prf match on both side.

2- how can I check that, please

3- Ikev2 enabled on outside interface

MHM Cisco World · ‎05-05-2023

group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev2 
tunnel-group <ip> type ipsec-l2l
 default-group-policy GroupPolicy2

MHM Cisco World · ‎05-05-2023

Also please make double check the prf in both asr and asa

Rob Ingram · ‎05-05-2023

@ezzaariyouness the syslog event related to that error message 751013 indicates a memory or configuration error, can you run the IKEv2 debugs (debug crypto ikev2 ) as per the recommended action and provide the output for review please:-

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-722001-to-776020.html#con_6710968

You could also look to disable IKEv2 configuration exchange on the ASR, which is not supported on ASA/FTD.

crypto ikev2 profile IKEV2-PROFILE
no config-exchange request

ezzaariyouness · ‎05-05-2023

Hi Rob ,

thank you for your information, let me share this with the remote Team.

Salman Mahajan · ‎05-07-2023

@ezzaariyouness
Hi , i have seen such cases . As @Rob Ingram mentioned , disable config-exchange request (no config-exchange request ) under IKEv2 profile on ASR

or

Configure ASR as responder only and ASA as initiator for the Tunnel .

ezzaariyouness · ‎05-07-2023

yes, I request the remote team to do that on the ASR

MHM Cisco World · ‎05-08-2023

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc38984

there is bug for same case and the solution as @Salman Mahajan @Rob Ingram mention.
thanks
MHM

ezzaariyouness · ‎05-08-2023

find attached the new logs

MHM Cisco World · ‎05-08-2023

IKEv2-PLAT-2: (56): Crypto Map: No proxy match on map VPN-L2L seq 1
I

are you sure the Peer IP's (remote lan)?

ciscoasa(config)# show crypto ikev2 sa detail <<- please share this if you can

ezzaariyouness · ‎05-09-2023

Yes I'm sure of the Peer IPs

there is no ikev2 sa

MHM Cisco World · ‎05-09-2023

access-list South-PD-Harris-CTS extended permit ip 10.2.55.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.56.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.49.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.49.0 255.255.255.0 host 10.208.120.3
access-list South-PD-Harris-CTS extended permit ip 10.2.56.0 255.255.255.0 host 10.208.120.3
access-list South-PD-Harris-CTS extended permit ip 10.2.55.0 255.255.255.0 host 10.208.120.3

if I am right
the IKEv2 for ASA not support multi-SA
and I see here you need 6 SA
to check remove other and keep only one and see the IKEv2

Salman Mahajan · ‎05-08-2023

(57):  NOTIFY(NO_PROPOSAL_CHOSEN)(57):   Next payload: NONE, reserved: 0x0, length: 8
(57):     Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

Check for below on both ends

1. Transform Set ( Should match on both ends )
2. Proxy Id/Interesting traffic ( Should be mirror of Local Side )