Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2893
Views
0
Helpful
0
Replies

ASR 1001-x: Problems establishing IPSec VPN tunnel (with VTI and VRF)

vertical Support
Level 1
Level 1

‎10-19-2018 07:43 AM

Hi,

 

i try to establish a vpn connection between ASR 1001-x an a partners Watchguard firewall.

First our environment (ASR 1001-x):

- "public" facing interface with vlan (behind another firewall, ports opened for IPSec): just a vlan with ip address and default route, no vrf

- private interface with vlan in separate vrf with ip address configured

- using IPSec static VTI with configuration (copied relevant information):

ip vrf v2

crypto ikev2 proposal v2-proposal
 encryption 3des
 integrity sha1
 group 14

crypto ikev2 policy 401
 proposal v2-proposal

crypto ikev2 keyring v2-keyring
 peer v2
  address "peers public ip"
  pre-shared-key xxx

crypto ikev2 profile ikev2-profile
 match identity remote address "peers public ip" 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local v2-keyring

crypto ipsec transform-set v2-set exp-3des esp-sha-hmac
 mode tunnel

crypto ipsec profile v2-ipsec-profile
 set security-association lifetime seconds 28800
 set transform-set v2-set
 set ikev2-profile ikev2-profile

tunnel2
 ip vrf forwarding v2
 ip unnumbered "private vlan interface"
 tunnel source "public vlan interface"
 tunnel mode ipsec ipv4
 tunnel destination "peers public ip"
 tunnel protection ipsec profile v2-ipsec-profile

ip route vrf v2 "peers private network with subnetmask" tunnel2

Here is the output of debug log (debug crypto ipsec and debug crypto ikev2):

Oct 19 14:33:26.289: IPSEC: still in use sa: 0x7F725EA79FB0
Oct 19 14:33:26.290: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:27.319: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet

Oct 19 14:33:27.319: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:27.445: %LINK-3-UPDOWN: Interface Tunnel401, changed state to up
Oct 19 14:33:29.448: IPSEC:(SESSION ID = 2333125) (RESP_ONLY mode) connection initiation rejected

Oct 19 14:33:29.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:30.280: IPSEC: still in use sa: 0x7F725EA7A868
Oct 19 14:33:30.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:31.111: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet

Oct 19 14:33:31.111: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:33.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:34.280: IPSEC: still in use sa: 0x7F725F24A1D0
Oct 19 14:33:34.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:37.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:38.279: IPSEC: still in use sa: 0x7F725EA7A960
Oct 19 14:33:38.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:38.990: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet

Oct 19 14:33:38.990: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:39.176: IPSEC:(SESSION ID = 2415894) (RESP_ONLY mode) connection initiation rejected

Oct 19 14:33:41.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:42.279: IPSEC: still in use sa: 0x7F725EA79EB8
Oct 19 14:33:42.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:45.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:46.280: IPSEC: still in use sa: 0x7F725F9DBEB8
Oct 19 14:33:46.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:49.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:50.279: IPSEC: still in use sa: 0x7F725EA7A868
Oct 19 14:33:50.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:53.417: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet

Oct 19 14:33:53.417: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:53.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:54.280: IPSEC: still in use sa: 0x7F725F9DBFB0
Oct 19 14:33:54.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:33:55.446: IPSEC:(SESSION ID = 2412964) (key_engine) request timer fired: count = 1,
  (identity) local= 172.16.20.49:0, remote= xxx:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
Oct 19 14:33:55.447: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.20.49:500, remote= xxx:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 28800s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 19 14:33:55.447: KMI: (Session ID: 2412964) IPSEC key engine sending message KEY_ENG_REQUEST_SAS to Crypto IKEv2.
Oct 19 14:33:55.447: KMI: (Session ID: 2412964) Crypto IKEv2 received message KEY_ENG_REQUEST_SAS from IPSEC key engine.
Oct 19 14:33:55.447: IKEv2:(SESSION ID = 2412964,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Oct 19 14:33:55.447: IKEv2:(SESSION ID = 2412964,SA ID = 2):Request queued for computation of DH key
Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generating IKE_SA_INIT message
Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_2048_MODP/Group 14

Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:500/From 172.16.20.49:500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Insert SA

Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Received Packet [From xxx:500/To 172.16.20.49:500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Processing IKE_SA_INIT message
Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Verify SA init message
Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Processing IKE_SA_INIT message
Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):Checking NAT discovery
Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):NAT INSIDE found
Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):NAT detected float to init port 4500, resp port 4500
Oct 19 14:33:55.508: IKEv2:(SESSION ID = 2412964,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Oct 19 14:33:55.508: IKEv2:(SESSION ID = 2412964,SA ID = 2):Request queued for computation of DH secret
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Completed SA init exchange
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Config-type: Config-request
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-dns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-dns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-nbns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-nbns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-subnet, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv6-dns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv6-subnet, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: app-version, length: 250, data: Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 21-Nov-16 17:55 by mcpre
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: split-dns, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: banner, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: config-url, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: backup-gateway, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: def-domain, length: 0
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Have config mode data to send
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Check for EAP exchange
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generate my authentication data
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Use preshared key for id 172.16.20.49, key len 32
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Get my authentication method
Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):My authentication method is 'PSK'
Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Check for EAP exchange
Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generating IKE_AUTH message
Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Constructing IDi payload: '172.16.20.49' of type 'IPv4 address'
Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   3DES   SHA96   Don't use ESN
Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Building packet for encryption.
Payload contents:
 VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:57.400: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet

Oct 19 14:33:57.400: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:33:57.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:33:58.280: IPSEC: still in use sa: 0x7F725EA7A960
Oct 19 14:33:58.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:01.278: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet

Oct 19 14:34:01.278: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:01.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:02.280: IPSEC: still in use sa: 0x7F725EBF97A8
Oct 19 14:34:02.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:05.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:06.280: IPSEC: still in use sa: 0x7F725F9DBEB8
Oct 19 14:34:06.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:08.772: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet

Oct 19 14:34:08.773: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:09.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:10.280: IPSEC: still in use sa: 0x7F725EEE3908
Oct 19 14:34:10.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:13.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:14.280: IPSEC: still in use sa: 0x7F725EBF96B0
Oct 19 14:34:14.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:17.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:18.279: IPSEC: still in use sa: 0x7F725F9DBFB0
Oct 19 14:34:18.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:19.261: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 149.221.199.15' to manually clear IPSec SA's covered by this IKE SA.
Oct 19 14:34:21.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:22.280: IPSEC: still in use sa: 0x7F725EBF97A8
Oct 19 14:34:22.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:24.501: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet

Oct 19 14:34:24.501: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:25.329: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet

Oct 19 14:34:25.329: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:25.448: IPSEC:(SESSION ID = 2412964) (key_engine) request timer fired: count = 2,
  (identity) local= 172.16.20.49:0, remote= xxx:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
Oct 19 14:34:25.448: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.16.20.49:500, remote= xxx:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 28800s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 19 14:34:25.448: KMI: (Session ID: 2412964) IPSEC key engine sending message KEY_ENG_REQUEST_SAS to Crypto IKEv2.
Oct 19 14:34:25.448: KMI: (Session ID: 2412964) Crypto IKEv2 received message KEY_ENG_REQUEST_SAS from IPSEC key engine.
Oct 19 14:34:25.448: IKEv2:(SESSION ID = 2412964,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Oct 19 14:34:25.449: IKEv2:(SESSION ID = 2412964,SA ID = 3):Request queued for computation of DH key
Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generating IKE_SA_INIT message
Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_2048_MODP/Group 14

Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:500/From 172.16.20.49:500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Insert SA

Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Received Packet [From xxx:500/To 172.16.20.49:500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Processing IKE_SA_INIT message
Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Verify SA init message
Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Processing IKE_SA_INIT message
Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):Checking NAT discovery
Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):NAT INSIDE found
Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):NAT detected float to init port 4500, resp port 4500
Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):Request queued for computation of DH secret
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Completed SA init exchange
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Config-type: Config-request
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-dns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-dns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-nbns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-nbns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-subnet, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv6-dns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv6-subnet, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: app-version, length: 250, data: Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 21-Nov-16 17:55 by mcpre
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: split-dns, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: banner, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: config-url, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: backup-gateway, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: def-domain, length: 0
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Have config mode data to send
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Check for EAP exchange
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generate my authentication data
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Use preshared key for id 172.16.20.49, key len 32
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Get my authentication method
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):My authentication method is 'PSK'
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Check for EAP exchange
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generating IKE_AUTH message
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Constructing IDi payload: '172.16.20.49' of type 'IPv4 address'
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   3DES   SHA96   Don't use ESN
Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Building packet for encryption.
Payload contents:
 VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:25.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:26.280: IPSEC: still in use sa: 0x7F725F9DBEB8
Oct 19 14:34:26.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:27.471: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet

Oct 19 14:34:27.471: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:29.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:29.871: IPSEC:(SESSION ID = 2333125) (RESP_ONLY mode) connection initiation rejected

Oct 19 14:34:30.280: IPSEC: still in use sa: 0x7F725EA7A868
Oct 19 14:34:30.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:31.114: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet

Oct 19 14:34:31.114: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:31.496: 
Oct 19 14:34:33.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:34.279: IPSEC: still in use sa: 0x7F725EBF96B0
Oct 19 14:34:34.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:37.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Oct 19 14:34:38.280: IPSEC: still in use sa: 0x7F725F9DBFB0
Oct 19 14:34:38.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Oct 19 14:34:38.567: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet

Oct 19 14:34:38.567: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0]
Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR

Oct 19 14:34:39.601: IPSEC:(SESSION ID = 2415902) (RESP_ONLY mode) connection initiation rejected

 

What could be the problem? Thanks in advance.

 

Regards,

 

 

4 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents