02-03-2024 12:44 AM - edited 02-03-2024 06:56 AM
I have a strange issue with IPsec, the VTI is down but IPsec is up, this happens every 4-5 days. Software v9.9 and 9.12.4(62) behave the same way, this should not happen, any ideas?
Every 30 seconds I see this in the logs at both ends.
Feb 3 05:28:47 gateway %ASA-4-750003: Local:<local IP>:500 Remote:<remote IP>:500 Username:<local IP> IKEv2 Negotiation aborted due to ERROR: Create child exchange failed
lbcnstrcorefw01# sh int tun 1 de Interface Tunnel1 "BWH", is down, line protocol is down Hardware is Virtual Tunnel MAC address N/A, MTU 1500 IP address 192.168.5.238, subnet mask 255.255.255.248 Control Point Interface States: Interface number is 26 Interface config status is active Interface state is not active Tunnel Interface Information: Source interface: outside IP address: x.x.x.x Destination IP address: x.x.x.x Mode: ipsec ipv4 IPsec profile: AZURE-PROPOSAL
lbcnstrcorefw01# sh cry ip sa de interface: BWH Crypto map tag: __vti-crypto-map-12-0-1, seq num: 65280, local addr: x.x.x.x local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: x.x.x.x #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 71007, #pkts decrypt: 71007, #pkts verify: 71007 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 1070910448 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.x/500 path mtu 1500, ipsec overhead 78(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 18D6F8EA current inbound spi : FB8073AA inbound esp sas: spi: 0xFB8073AA (4219499434) SA State: active transform: esp-aes-256 esp-sha-256-hmac no compression in use settings ={L2L, Tunnel, IKEv2, VTI, } slot: 0, conn_id: 3, crypto-map: __vti-crypto-map-12-0-1 sa timing: remaining key lifetime (kB/sec): (4136910/22196) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x18D6F8EA (416741610) SA State: active transform: esp-aes-256 esp-sha-256-hmac no compression in use settings ={L2L, Tunnel, IKEv2, VTI, } slot: 0, conn_id: 3, crypto-map: __vti-crypto-map-12-0-1 sa timing: remaining key lifetime (kB/sec): (4008960/22196) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
02-03-2024 10:24 AM
I dont see any Pkts encaps, but only decaps. Is that expected?
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Also noticed Pkts invalid len as per below
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 1070910448
crypto ipsec df-bit [clear | set | copy] <<- try add this command and check the count
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/zZ-Archive/DF_Bit_Override_Functionality_with_IPsec_Tunnels.html
02-04-2024 11:00 PM
Hi Ruben
Even with errors and packet size issues the VTI should be up/up. I don't understand why it is down, it must be a bug. The reason there are no encapsulated packets is because the interface (VTI) is down. I cannot raise a TAC case.
02-05-2024 06:49 AM
It is down because CREATE_CHILD_SA fails, right? If yes, you probably need to collect debugs to understand why.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide