Solved: IKEv2 Issue, can\t bring tunnel between Cisco Router and Palo Alto

Kamran Mustafayev · ‎05-10-2024

Hi,

I'm getting strange issues when I cannot bring up the tunnel between Cisco Router and Palo Alto FW,

On Cisco router side I'm getting this on debug IKEv2:

==================================================================

*May 10 06:34:55.253: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 3,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:34:55.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:34:55.261: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:34:55.261: IKEv2:% Matched peer block 'palo'
*May 10 06:34:55.262: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:34:55.263: IKEv2:Found Policy 'PRIMARY'
*May 10 06:34:55.270: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:25.254: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 4,
(identity) local= 192.168.1.1:0, remote= 192.168.1.2:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May 10 06:35:25.255: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 192.168.1.2:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 28800s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 10 06:35:25.260: IKEv2:% Getting preshared key from profile keyring PRIMARY
*May 10 06:35:25.261: IKEv2:% Matched peer block 'palo'
*May 10 06:35:25.261: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1
*May 10 06:35:25.262: IKEv2:Found Policy 'PRIMARY'
*May 10 06:35:25.268: IKEv2:SA is already in negotiation, hence not negotiating again
*May 10 06:35:34.021: IKEv2-ERROR:Couldn't find matching SA: Negotiating limit reached, deny SA request

*May 10 06:35:34.022: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 192.168.1.2:500/To 192.168.1.1:500/VRF i0:f0]
Initiator SPI : 981433F14FD6564B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*May 10 06:35:34.023: IKEv2-ERROR:: A supplied parameter is incorrect

=============================================================================

Cisco WAN IP: 192.168.1.1 Cisco Tunnel IP: 10.1.227.1

Palo Alto WAN side: 192.168.1.2 Cisco Tunnel IP: 10.1.227.2

On Palo side its default policy, no restrictions in terms of policies

Basically here is my configuration for Cisco Side (I'm also attatching screenshots of Palo Alto configuration below in attached messages)

==========================================================================

crypo ikev2 proposal PRIMARY
encryption 3des
integrity sha1
group 5
crypto ikev2 policy PRIMARY
proposal PRIMARY
crypto ikev2 keyring PRIMARY
peer palo
address 192.168.1.2 255.255.255.0
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile PRIMARY
match address local 192.168.1.1
match identity remote address 192.168.1.2 255.255.255.0
authentication local pre-share
authentication remote pre-share
keyring local PRIMARY
lifetime 28800
crypto ipsec transform-set PRIMARY esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile PRIMARY
set security-association lifetime seconds 28800
set transform-set PRIMARY
set ikev2-profile PRIMARY

interface Vlan1000
ip address 192.168.1.1 255.255.255.0
end

fusion_1#show run int tu1000
Building configuration...

Current configuration : 191 bytes
!
interface Tunnel1000
ip address 10.1.227.1 255.255.255.252
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 192.168.1.2
tunnel protection ipsec profile PRIMARY
end

ip route 0.0.0.0 0.0.0.0 192.168.1.2

=======================================================================

What I'm doing wrong here? Thanks in advance

MHM Cisco World · ‎05-17-2024

Great

Run bgp use VTI IP as neighbor and it will sure work.

MHM

View solution in original post

Kamran Mustafayev · ‎05-10-2024

Attached Palo Alto side config's

MHM Cisco World · ‎05-12-2024

Show crypto ikev2 sa

Show crypto session

Show crypto call admission

Share all of above

MHM

Kamran Mustafayev · ‎05-12-2024

test_sw#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Sta
1 172.16.1.1/500 172.16.1.2/500 none/none IN-
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Un0
Life/Active Time: 0/0 sec

IPv6 Crypto IKEv2 SA

=====================================================================

test_sw#Show crypto session
Crypto session current status

Interface: Tunnel1
Profile: TEST
Session status: DOWN-NEGOTIATING
Peer: 172.16.1.2 port 500
Session ID: 1
IKEv2 SA: local 172.16.1.1/500 remote 172.16.1.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

=========================================================

test_sw#Show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0

Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0

Phase1.5 SAs under negotiation: 0

test_sw#

MHM Cisco World · ‎05-13-2024

https://community.cisco.com/t5/vpn/crypto-ikev2-stuck-in-neg-state-maximum-number-of/td-p/4697594

Check this' I think it is bug

MHM

Kamran Mustafayev · ‎05-13-2024

Getting also this logs:

*May 13 10:35:33.216: IKEv2-ERROR:Couldn't find matching SA: Negotiating limit reached, deny SA request

*May 13 10:35:33.216: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : 1F10AEE226A43450 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*May 13 10:35:33.218: IKEv2-ERROR:: A supplied parameter is incorrect
*May 13 10:35:35.044: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 10:35:35.044: IKEv2:% Matched peer block 'palo'
*May 13 10:35:35.045: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 10:35:35.045: IKEv2:Found Policy 'TEST'
*May 13 10:35:35.050: IKEv2:SA is already in negotiation, hence not negotiating again

Will check your link

Kamran Mustafayev · ‎05-13-2024

Just checked "sh monitor event-trace crypto ikev2 error all"

Seeing this:

*May 13 11:26:03.763: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:03.765: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:03.767: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:03.769: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:36.909: SA ID:0 SESSION ID:0 Remote: UNKNOWN/832 IVRF/FVRF:
32768/84 INVALID SESSION found.
: Error encountered while
navigating State Machine
*May 13 11:26:41.649: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.650: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.651: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.657: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.660: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.661: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.662: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.666: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.668: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.670: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

*May 13 11:26:41.672: SA ID:0 SESSION ID:0 Address length 90833728 is larger
than ADDRLEN_IP

MHM Cisco World · ‎05-13-2024

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212

Did you check this bug

We need to solve max SA first.

The max SA as you share is zero' this is bug

MHM

tvotna · ‎05-13-2024

It seems you at least need to either enable PFS on both sides or disable it on both sides. Currently PFS is disabled on Cisco ("set pfs ..." is absent in the IPsec profile) and enabled on Palo Alto (IPSec Crypto Profile is configured with group5). To disable PFS on PA it should be configured as "no-pfs", so far as I remember.

Monitor event-trace diagnostics is really confusing, so there might be also something else which prevents successful negotiation.

Kamran Mustafayev · ‎05-13-2024

I actually have it, just forgot to add in here, still the same problem

MHM Cisco World · ‎05-13-2024

Do

crypto call admission limit ike in-negotiation-sa <limit>

Then share debug again let see what else error appear

MHM

Kamran Mustafayev · ‎05-13-2024

crypto call admission limit ike in-negotiation-sa 500
test_sw#

command has been added, debug:

*May 13 18:52:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:52:22.485: IKEv2:% Matched peer block 'palo'
*May 13 18:52:22.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:52:22.486: IKEv2:Found Policy 'TEST'
*May 13 18:52:22.491: IKEv2:SA is already in negotiation, hence not negotiating again

*May 13 18:52:33.625: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N

*May 13 18:52:33.629: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 13 18:52:52.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:52:52.486: IKEv2:% Matched peer block 'palo'
*May 13 18:52:52.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:52:52.487: IKEv2:Found Policy 'TEST'
*May 13 18:52:52.492: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:53:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:53:22.486: IKEv2:% Matched peer block 'palo'
*May 13 18:53:22.487: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:53:22.487: IKEv2:Found Policy 'TEST'
*May 13 18:53:22.493: IKEv2:SA is already in negotiation, hence not negotiating again

*May 13 18:53:33.074: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N

*May 13 18:53:33.077: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 13 18:53:52.486: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:53:52.487: IKEv2:% Matched peer block 'palo'
*May 13 18:53:52.487: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:53:52.488: IKEv2:Found Policy 'TEST'
*May 13 18:53:52.496: IKEv2:SA is already in negotiation, hence not negotiating again
*May 13 18:54:22.485: IKEv2:% Getting preshared key from profile keyring TEST
*May 13 18:54:22.485: IKEv2:% Matched peer block 'palo'
*May 13 18:54:22.486: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 13 18:54:22.488: IKEv2:Found Policy 'TEST'
*May 13 18:54:22.496: IKEv2:SA is already in negotiation, hence not negotiating again

*May 13 18:54:32.571: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : F05D3FFF66CC3670 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N

tvotna · ‎05-13-2024

Above command and the bug mentioned are for IKEv1. You use IKEv2. IKEv2 Call Admission Control is configured with:

crypto ikev2 limit {max-in-negotation-sa <limit> | max-sa <limit>}

and verified with

show crypto ikev2 stats

if I remember correctly. Did this tunnel ever work? Did you try "clear crypto session" or reloading the router? There is a bug CSCvd69373, but I personally don't believe it matches. It requires fragmentation of IKEv2 packets, which should not happen in case of PSK. On the other hand, this looks very much like a stuck session entry.

Kamran Mustafayev · ‎05-14-2024

Added

crypto ikev2 limit max-in-negotation-sa 500
crypto ikev2 limit max-sa 500

Reloaded, cleared crypto getting the debugs below, tunnel is down still:

*May 14 07:08:52.335: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 07:09:14.352: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:09:14.352: IKEv2:% Matched peer block 'palo'
*May 14 07:09:14.353: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:09:14.354: IKEv2:Found Policy 'TEST'
*May 14 07:09:14.360: IKEv2:SA is already in negotiation, hence not negotiating again

*May 14 07:09:31.940: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : B64253718680F2EA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N

*May 14 07:09:31.944: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine
*May 14 07:09:44.351: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:09:44.351: IKEv2:% Matched peer block 'palo'
*May 14 07:09:44.352: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:09:44.352: IKEv2:Found Policy 'TEST'
*May 14 07:09:44.359: IKEv2:SA is already in negotiation, hence not negotiating again
*May 14 07:10:14.352: IKEv2:% Getting preshared key from profile keyring TEST
*May 14 07:10:14.353: IKEv2:% Matched peer block 'palo'
*May 14 07:10:14.354: IKEv2:Searching Policy with fvrf 0, local address 172.16.1.1
*May 14 07:10:14.355: IKEv2:Found Policy 'TEST'
*May 14 07:10:14.364: IKEv2:SA is already in negotiation, hence not negotiating again

*May 14 07:10:31.283: IKEv2:Received Packet [From 172.16.1.2:500/To 172.16.1.1:500/VRF i0:f0]
Initiator SPI : B64253718680F2EA - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N

*May 14 07:10:31.290: IKEv2-ERROR:INVALID SESSION found.
: Error encountered while navigating State Machine

Kamran Mustafayev · ‎05-14-2024

Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 500 Max in nego(in/out): 500/400
Total incoming IKEv2 SA Count: 21 active: 0 negotiating: 21
Total outgoing IKEv2 SA Count: 1 active: 0 negotiating: 1
Incoming IKEv2 Requests: 21 accepted: 21 rejected: 0
Outgoing IKEv2 Requests: 1 accepted: 1 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0