05-21-2022 11:21 PM
Hi
Amy ideas whats causing this please |i have recently added a new Cert on the other end of the tunnel RTR. ??
.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1
.May 21 16:48:31.577: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range:0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535
.May 21 16:48:31.725: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database
05-21-2022 11:35 PM
Logs are not complete. You have to attach all logs to find out a reason for it.
But
!
.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1
!
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. These packets are dropped by the peer and this message appears in the syslog:
!
what is your IOS version? have you tried with clear crypto sessions?
You might hitting a known bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsq59183
Try to use a command -
crypto isakmp invalid−spi−recovery
05-22-2022 12:49 AM
Add new Cert, are your router use OLD or NEW Cert. ?
try clear ipsec sa and iskamp sa if not solved issue, please share config.
05-23-2022 04:51 AM
Hi
Do these give any clues ??
*May 23 11:28:09.530: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile
*May 23 11:28:16.854: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile
*May 23 11:28:16.858: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to down
*May 23 11:28:16.878: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to up
*May 23 11:28:39.530: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile
*May 23 11:28:46.858: ISAKMP: (0):certificate map matches IKEv2_PROFILE profile
the tunnel is constantly flapping
*May 23 11:28:46.866: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to down
*May 23 11:28:46.882: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel401, changed state to up
05-23-2022 04:55 AM
Are this this tunnel is
gre over ipsec
ipsec s vti ?
if the certificate map match same profile protect this tunnel
I think that there is routing issue,
the destination of tunnel is learn through tunnel and this make tunnel up then down.
05-23-2022 04:57 AM
Hi
IPSEC - VTI
05-23-2022 06:21 AM
If this is ikev2 and it SVTI
then the ikev2 is bidirectional auth,
i.e. you auth the remote and remote auth you,
since you change certificate
if both peer use Same CA then you will config one trust point in both peer
if each peer use differ CA then you will config two trust point one for each peer.
and to make sure that the issue is from Ipsec not from tunnel itself, you can try remove profile and see
if tunnel is not stable then it routing issue
if tunnel is stable then issue with ipsec and you need to check above point.
Note:- if you use match identity using cert. use must then check other peer match your new cert. to select the right ikev2 profile.
05-23-2022 07:40 AM
Hi
yes when I remove the profile from the tunnel interface I know longer see the flaps in the logs.??
Thanks
05-23-2022 12:15 PM
""I know longer see the flaps in the logs.??"" meaning NO longer flap?
05-23-2022 01:02 PM
Hi
yes no longer flapping
Thanks
05-23-2022 05:26 AM - edited 05-23-2022 05:26 AM
NO.. we need running configuration and more debug logs
05-23-2022 05:41 AM
which logs
05-23-2022 06:12 AM - edited 05-23-2022 06:15 AM
@benolyndav can you provide the full output of the full IKEv2 debugs logs. This will provide a clue to the errors received.
I assume the tunnel was working before and it was just the certificate that was renewed on the remote device?
Was the certificate issued by the same CA as before?
05-23-2022 07:41 AM
Hi
ay 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: split-dns, length: 0
May 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: banner, length: 0
May 23 13:47:26.356: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: config-url, length: 0
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: backup-gateway, length: 0
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Attrib type: def-domain, length: 0
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Have config mode data to send
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Generate my authentication data
May 23 13:47:26.360: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
May 23 13:47:26.360: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Get my authentication method
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):My authentication method is 'RSA'
May 23 13:47:26.360: IKEv2:(SESSION ID = 2,SA ID = 1):Sign authentication data
May 23 13:47:26.360: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
May 23 13:47:26.360: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
May 23 13:47:26.360: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
May 23 13:47:26.360: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Authentication material has been sucessfully signed
May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange
May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Generating IKE_AUTH message
May 23 13:47:26.388: IKEv2:(SESSION ID = 2,SA ID = 1):Constructing IDi payload: 'hostname=Spoke-VPN-RTR-1,cn=Spoke-VPN-RTR.1.HHG.UK,ou=HHG NETWORKS,o=HHG,c=GB' of type 'DER ASN1 DN'
May 23 13:47:26.392: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
May 23 13:47:26.392: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'RTR-CERT'
May 23 13:47:26.392: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
May 23 13:47:26.392: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi CERT CERTREQ AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.392: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 84.40.91.54:4500/From 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
SKF
May 23 13:47:26.436: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
May 23 13:47:26.436: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
May 23 13:47:26.436: IKEv2-ERROR:: A supplied parameter is incorrect
May 23 13:47:26.452: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : 8398AAF337274EF5 - Responder SPI : 70956FCC814317C4 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr CERT AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
May 23 13:47:26.452: IKEv2:(SESSION ID = 2,SA ID = 1):Process auth response notify
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Searching policy based on peer's identity 'serialNumber=+hostname=VPN-RTR of type 'DER ASN1 DN'
May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to locate an item in the database
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authentication data FAILED
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Auth exchange failed
May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Auth exchange failed
May 23 13:47:26.456: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Abort exchange
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Deleting SA
May 23 13:47:26.456: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
May 23 13:47:26.456: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
May 23 13:47:28.348: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
May 23 13:47:28.348: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
May 23 13:47:28.348: IKEv2-ERROR:: A supplied parameter is incorrect
May 23 13:47:31.973: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
May 23 13:47:31.973: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 84.40.91.54:4500/To 88.245.76.197:4500/VRF i0:f0]
Initiator SPI : FC2AC060A0629921 - Responder SPI : 8C2A4159814DB4E1 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
May 23 13:47:31.973: IKEv2-ERROR:: A supplied parameter is incorrect
05-23-2022 08:35 AM
@benolyndav authentication is failing
May 23 13:47:26.456: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to locate an item in the database
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authentication data FAILED
May 23 13:47:26.456: IKEv2:(SESSION ID = 2,SA ID = 1):Auth exchange failed
Is the new certificate of the remote peer trusted on this router?
Can you provide more configuration information of this local router and the remote peer please.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: