Re: Site to Site VPNs Cisco ASAv hosted within AWS Hub / Spoke - Failed to allocate PSH from platfor...

Adam09847 · ‎02-25-2020

Hi,

I'm trying to set up multiple sites to site VPNs.

Our ASAs are sat within AWS and the connecting devices are clients that could possibly be multi vendor.

I can see a lot of warns for Failed to allocate PSH from the platform. When I debug the crypto ikev2 protocol I see the following errors;

IKEv2-PROTO-4: Received Packet [From REMOTE CLIENT:500/To INTERNAL IP:500/VRF i0:f0]
Initiator SPI : 562E74C8017289A3 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 316
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NONE, reserved: 0x0, length: 24

Decrypted packet:Data: 316 bytes
IKEv2-PROTO-2: Failed to allocate PSH from platform
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-7: Action: Action_Null
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: Abort exchange
IKEv2-PROTO-4: Deleting SA

Has anyone seen this before, what did you do to resolve this?

Thanks

JP Miranda Z · ‎02-25-2020

Hi Adam09847,

Which version of ASA are you running?

Hope this info helps!!

Rate if helps you!!

-JP-

Adam09847 · ‎02-26-2020

We're using a Cisco ASAv30 with ASA software 9.12.2.

JP Miranda Z · ‎03-12-2020

Adam,

Can you share the config of the ikev2 policy and ikev2 ipsec proposal from the ASA and the other end?

Also what type if device are you using at the other end of the tunnel?

This could be related to 2 issues:

1- configuration mismatch

2- a bug

Hope this info helps!!

Rate if helps you!!

-JP-

Cristian Matei · ‎03-14-2020

Hi,

First, ensure that both sides use the same IPsec implementation (policy-based via crypto-map, or routing-based via VTI). Can you post the debug output "debug crypto ikev2 protocol 127", "debug crypto ikev2 platform 127", "debug crypto ipsec sa" with "debug crypto condition peer x.x.x.x"

Second, see if any of these bugs affect you:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm64400

Regards,

Cristian Matei.

Site to Site VPNs Cisco ASAv hosted within AWS Hub / Spoke - Failed to allocate PSH from platform