Re: VPN Error

benolyndav · ‎05-21-2022

Hi

Amy ideas whats causing this please |i have recently added a new Cert on the other end of the tunnel RTR. ??

.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1

.May 21 16:48:31.577: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range:0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

.May 21 16:48:31.725: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database

Deepak Kumar · ‎05-21-2022

Logs are not complete. You have to attach all logs to find out a reason for it.

But

!

.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1

!

One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. These packets are dropped by the peer and this message appears in the syslog:

!

what is your IOS version? have you tried with clear crypto sessions?

You might hitting a known bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsq59183

Try to use a command -

crypto isakmp invalid−spi−recovery

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

MHM Cisco World · ‎05-22-2022

Add new Cert, are your router use OLD or NEW Cert. ?
try clear ipsec sa and iskamp sa if not solved issue, please share config.

benolyndav · ‎05-23-2022

Hi

Do these give any clues ??

*May 23 11:28:09.530: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile

*May 23 11:28:16.854: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile

*May 23 11:28:16.858: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to down

*May 23 11:28:16.878: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to up

*May 23 11:28:39.530: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile

*May 23 11:28:46.858: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile

the tunnel is constantly flapping

*May 23 11:28:46.866: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to down

*May 23 11:28:46.882: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to up

MHM Cisco World · ‎05-23-2022

Are this this tunnel is

gre over ipsec

ipsec s vti ?

if the certificate map match same profile protect this tunnel

I think that there is routing issue,

the destination of tunnel is learn through tunnel and this make tunnel up then down.

benolyndav · ‎05-23-2022

Hi

IPSEC - VTI

MHM Cisco World · ‎05-23-2022

If this is ikev2 and it SVTI

then the ikev2 is bidirectional auth,

i.e. you auth the remote and remote auth you,

since you change certificate

if both peer use Same CA then you will config one trust point in both peer

if each peer use differ CA then you will config two trust point one for each peer.

and to make sure that the issue is from Ipsec not from tunnel itself, you can try remove profile and see

if tunnel is not stable then it routing issue

if tunnel is stable then issue with ipsec and you need to check above point.

Note:- if you use match identity using cert. use must then check other peer match your new cert. to select the right ikev2 profile.

benolyndav · ‎05-23-2022

Hi

yes when I remove the profile from the tunnel interface I know longer see the flaps in the logs.??

Thanks

MHM Cisco World · ‎05-23-2022

""I know longer see the flaps in the logs.??"" meaning NO longer flap?

benolyndav · ‎05-23-2022

Hi

yes no longer flapping

Thanks

Deepak Kumar · ‎05-23-2022

NO.. we need running configuration and more debug logs

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

benolyndav · ‎05-23-2022

which logs

Rob Ingram · ‎05-23-2022

@benolyndav can you provide the full output of the full IKEv2 debugs logs. This will provide a clue to the errors received.

I assume the tunnel was working before and it was just the certificate that was renewed on the remote device?

Was the certificate issued by the same CA as before?

benolyndav · ‎05-23-2022

Hi

ay 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: split-dns, length: 0

May 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: banner, length: 0

May 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: config-url, length: 0

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: backup-gateway, length: 0

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: def-domain, length: 0

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Have config mode data to send

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Generate my authentication data

May 23 13:47:26.360: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

May 23 13:47:26.360: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Get my authentication method

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):My authentication method is 'RSA'

May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Sign authentication data

May 23 13:47:26.360: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key

May 23 13:47:26.360: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED

May 23 13:47:26.360: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data

May 23 13:47:26.360: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED

May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Authentication material has been sucessfully signed

May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange

May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Generating IKE_AUTH message

May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Constructing IDi payload: 'hostname=Spoke-VPN-RTR-1,cn=Spoke-VPN-RTR.1.HHG.UK,ou=HHG NETWORKS,o=HHG,c=GB' of type 'DER ASN1 DN'

May 23 13:47:26.392: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

May 23 13:47:26.392: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'RTR-CERT'

May 23 13:47:26.392: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints

May 23 13:47:26.392: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),

Num. transforms: 3

AES-CBC SHA256 Don't use ESN

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption.

Payload contents:

VID IDi CERT CERTREQ AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

SKF

May 23 13:47:26.436: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

May 23 13:47:26.436: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

May 23 13:47:26.436: IKEv2-ERROR:: A supplied parameter is incorrect

May 23 13:47:26.452: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1

IKEv2 IKE_AUTH Exchange RESPONSE

Payload contents:

VID IDr CERT AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

May 23 13:47:26.452: IKEv2:(SESSION ID = 2,SA ID = 1):Process auth response notify

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Searching policy based on peer's identity 'serialNumber=+hostname=VPN-RTR of type 'DER ASN1 DN'

May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to locate an item in the database

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authentication data FAILED

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Auth exchange failed

May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Auth exchange failed

May 23 13:47:26.456: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Abort exchange

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Deleting SA

May 23 13:47:26.456: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session

May 23 13:47:26.456: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

May 23 13:47:28.348: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

May 23 13:47:28.348: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

May 23 13:47:28.348: IKEv2-ERROR:: A supplied parameter is incorrect

May 23 13:47:31.973: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

May 23 13:47:31.973: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]

Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0

IKEv2 INFORMATIONAL Exchange REQUEST

May 23 13:47:31.973: IKEv2-ERROR:: A supplied parameter is incorrect

Rob Ingram · ‎05-23-2022

@benolyndav authentication is failing

May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to locate an item in the database

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authentication data FAILED

May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Auth exchange failed

Is the new certificate of the remote peer trusted on this router?

Can you provide more configuration information of this local router and the remote peer please.