Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
3
Replies

VTI down/down

davidgibelli
Level 1
Level 1

‎02-03-2024 12:44 AM - edited ‎02-03-2024 06:56 AM

I have a strange issue with IPsec, the VTI is down but IPsec is up, this happens every 4-5 days. Software v9.9 and 9.12.4(62) behave the same way, this should not happen, any ideas?

Every 30 seconds I see this in the logs at both ends.

Feb  3 05:28:47 gateway %ASA-4-750003: Local:<local IP>:500 Remote:<remote IP>:500 Username:<local IP> IKEv2 Negotiation aborted due to ERROR: Create child exchange failed
lbcnstrcorefw01# sh int tun 1 de
Interface Tunnel1 "BWH", is down, line protocol is down
  Hardware is Virtual Tunnel    MAC address N/A, MTU 1500
        IP address 192.168.5.238, subnet mask 255.255.255.248
  Control Point Interface States:
        Interface number is 26
        Interface config status is active
        Interface state is not active
  Tunnel Interface Information:
        Source interface: outside       IP address: x.x.x.x
        Destination IP address: x.x.x.x
        Mode: ipsec ipv4        IPsec profile: AZURE-PROPOSAL
lbcnstrcorefw01# sh cry ip sa de
interface: BWH
    Crypto map tag: __vti-crypto-map-12-0-1, seq num: 65280, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: x.x.x.x


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 71007, #pkts decrypt: 71007, #pkts verify: 71007
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 1070910448
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0
      #pkts invalid len (send): 0, #pkts invalid len (rcv): 0
      #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0
      #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0
      #pkts failed (send): 0, #pkts failed (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.x/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 18D6F8EA
      current inbound spi : FB8073AA

    inbound esp sas:
      spi: 0xFB8073AA (4219499434)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 3, crypto-map: __vti-crypto-map-12-0-1
         sa timing: remaining key lifetime (kB/sec): (4136910/22196)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x18D6F8EA (416741610)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 3, crypto-map: __vti-crypto-map-12-0-1
         sa timing: remaining key lifetime (kB/sec): (4008960/22196)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
 

 

0 Helpful
3 Replies 3

Ruben Cocheno
Spotlight
Spotlight

‎02-03-2024 10:24 AM

@davidgibelli 

I dont see any Pkts encaps, but only decaps. Is that expected?

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Also noticed Pkts invalid len as per below

  #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 1070910448

crypto ipsec df-bit [clear | set | copy] <<- try add this command and check the count 
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/zZ-Archive/DF_Bit_Override_Functionality_with_IPsec_Tunnels.html

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

davidgibelli
Level 1
Level 1

‎02-04-2024 11:00 PM

Hi Ruben

Even with errors and packet size issues the VTI should be up/up. I don't understand why it is down, it must be a bug. The reason there are no encapsulated packets is because the interface (VTI) is down. I cannot raise a TAC case.

0 Helpful

tvotna
Spotlight
Spotlight
In response to davidgibelli

‎02-05-2024 06:49 AM

It is down because CREATE_CHILD_SA fails, right? If yes, you probably need to collect debugs to understand why.

 

0 Helpful
Customers Also Viewed These Support Documents