08-14-2023 02:17 AM
Hello everybody,
we have the task to change all VPN L2L tunnels on our Firepower 2130
running ASA (185.247.62.19 running image 9.14(3)18.
There are hundrets of VPN L2L tunnels running on this firewall and usually
this change is running well.
But at this time where the peer firewall is a Sophos XG230 (SFOS 19.5.0 GA-Build197)
we have a real problem.
The peer admin and me have tried a lot of IPSec parameter settings that
both firewalls support but the IKEv2 tunnel does not come up.
I gathered the following log- and debug infomation:
7|Jul 31 2023|15:00:40|715064|||||IP = 87.129.137.162, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
6|Jul 31 2023|14:59:24|713219|||||IP = 87.129.137.162, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Jul 31 2023|14:58:06|750003|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:87.129.137.162 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify
7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500
5|Jul 31 2023|14:58:06|750001|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 185.247.62.225-185.247.62.225 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 129.3.38.100-129.3.38.100 Protocol: 0 Port Range: 0-65535
7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500
4|Jul 31 2023|14:58:06|750003|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:87.129.137.162 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify
7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500
5|Jul 31 2023|14:58:06|750001|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 185.247.62.225-185.247.62.225 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 129.3.38.100-129.3.38.100 Protocol: 0 Port Range: 0-65535
7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500
IKEv2-PLAT-4: attempting to find tunnel group for IP: 87.129.137.162
IKEv2-PLAT-4: mapped to tunnel group 87.129.137.162 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0x48FBDFDB, error FALSE
IKEv2-PLAT-4:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: tp_name set to:
IKEv2-PLAT-4: tg_name set to: 87.129.137.162
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PROTO-4: Couldn't find matching SA
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
…
IKEv2-PLAT-5: (16587): SENT PKT [IKE_SA_INIT] [185.247.62.10]:500->[87.129.137.162]:500 InitSPI=0x9902490a89d9593f RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-7: (16587): SM Trace-> SA: I_SPI=9902490A89D9593F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (16587): Insert SA
IKEv2-PROTO-7: (16587): SM Trace-> SA: I_SPI=9902490A89D9593F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
Can you give me hints what we still could try based on these outputs?
Every hint is very welcome!
Thanks a lot!
Bye
R.
08-14-2023 03:51 AM
- You may find this documentation informational : https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/137462/sophos-firewall-configure-ipsec-connection-between-sophos-firewall-and-cisco-asa
M.
08-14-2023 05:27 AM
Hi Marce1000,
I found the same document with google
but the issue persists
Is there any other hint after checking the given log and debug outputs?
Thanks a lot!
Bye
R.
08-14-2023 05:45 AM
@swscco001 based on this error:- "ERROR: Received no proposal chosen notify" I would check the configured IKEv2 and IPSec algorithms match between you and your peer.
08-14-2023 06:00 AM
Hi Rob,
thanks for your reply!
We checked the parameters of both phases many times and
tried different variants but nothing helped. No problem at
IKEv1 but this should be replaced.
Thanks a lot!
Bye
R.
08-14-2023 06:06 AM
@swscco001 not all vendors label the crypto ciphers the same, I've seen this cause confusion in the past.
Please share a screenshot/configuration of the IKEv2/IPSec settings from both devices and provide the full output of the IKEv2 debug from your ASA.
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide