02-25-2020 05:51 AM
Hi,
I'm trying to set up multiple sites to site VPNs.
Our ASAs are sat within AWS and the connecting devices are clients that could possibly be multi vendor.
I can see a lot of warns for Failed to allocate PSH from the platform. When I debug the crypto ikev2 protocol I see the following errors;
IKEv2-PROTO-4: Received Packet [From REMOTE CLIENT:500/To INTERNAL IP:500/VRF i0:f0]
Initiator SPI : 562E74C8017289A3 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 316
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Parse Vendor Specific Payload: (CUSTOM) VID Next payload: NONE, reserved: 0x0, length: 24
Decrypted packet:Data: 316 bytes
IKEv2-PROTO-2: Failed to allocate PSH from platform
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-7: Action: Action_Null
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: SM Trace-> SA: I_SPI=562E74C8017289A3 R_SPI=CC27447FA37DCDF2 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: Abort exchange
IKEv2-PROTO-4: Deleting SA
Has anyone seen this before, what did you do to resolve this?
Thanks
02-25-2020 07:57 AM
02-26-2020 12:29 AM
We're using a Cisco ASAv30 with ASA software 9.12.2.
03-12-2020 02:08 PM
Adam,
Can you share the config of the ikev2 policy and ikev2 ipsec proposal from the ASA and the other end?
Also what type if device are you using at the other end of the tunnel?
This could be related to 2 issues:
1- configuration mismatch
2- a bug
Hope this info helps!!
Rate if helps you!!
-JP-
03-14-2020 01:29 AM
Hi,
First, ensure that both sides use the same IPsec implementation (policy-based via crypto-map, or routing-based via VTI). Can you post the debug output "debug crypto ikev2 protocol 127", "debug crypto ikev2 platform 127", "debug crypto ipsec sa" with "debug crypto condition peer x.x.x.x"
Second, see if any of these bugs affect you:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm64400
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm64400
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide