Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
4
Helpful
16
Replies

ikev2 VPN tunnel trouble shooting help

Go to solution
Makoon
Level 1
Level 1

‎04-25-2024 11:29 PM

Howdy Cisco Community!

Need your help as fairly new trouble shooting site to site VPN connectivity.

I am unable to establish VPN connectivity per information below.

Site:1
crypto ipsec ikev2 ipsec-proposal CSM_IP_1
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CSM_Outside_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_Outside_map 1 set peer 2xxxxx
crypto map CSM_Outside_map 1 set ikev2 ipsec-proposal CSM_IP_1
crypto map CSM_Outside_map 1 set security-association lifetime seconds 3600
crypto map CSM_Outside_map interface Outside
crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 21 19 14
prf sha256
lifetime seconds 28800
crypto ikev2 enable Outside

tunnel-group 2xxxxx type ipsec-l2l
tunnel-group 2xxxxx general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group 2xxxx ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Site:2
crypto ikev2 policy policy2
match address local 2xxxxxxxxx
proposal Lxxxxxxxxxxx

crypto ikev2 keyring Lxxxxxxxxxxx
peer Lxxxxxxxxxxx
description To Lxxxxxxxxxx
address 2xxxxxxxxxxxx
pre-shared-key address xxxxxxxx key ********************@

crypto ikev2 proposal Lxxxxxx
encryption aes-cbc-256
integrity sha256
group 21 19 14

crypto ikev2 profile profile-v2
match address local 2xxxxxxxxxx
match identity remote address 2xxxxxxx 255.255.255.255
authentication remote pre-share key ********************
authentication local pre-share key ********************
lifetime 28800

Debug Information:
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (52): Setting configured policies
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (52): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21
IKEv2-PROTO-4: (52): Request queued for computation of DH key
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (52): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (52): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 6
(52): AES-CBC(52): SHA256(52): SHA256(52): DH_GROUP_521_ECP/Group 21(52): DH_GROUP_256_ECP/Group 19(52): DH_GROUP_2048_MODP/Group 14(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 0000000000000000 Message id: 0
(52): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: SA, version: 2.0 (52): Exchange type: IKE_SA_INIT, flags: INITIATOR (52): Message id: 0, length: 466(52):
Payload contents:
(52): SA(52): Next payload: KE, reserved: 0x0, length: 64
(52): last proposal: 0x0, reserved: 0x0, length: 60
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 6(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(52): KE(52): Next payload: N, reserved: 0x0, length: 140
(52): DH group: 21, Reserved: 0x0
(52):
(52): 00 68 77 0d 60 57 95 5f b2 bc b7 0e e7 4d 76 2a
(52): 4b 39 23 93 af 6f 53 52 ed d7 5e 81 35 c6 59 3a
(52): eb 0a c1 2d b9 45 83 a0 ca 1f d1 78 84 29 03 b5
(52): d5 d7 ab 34 66 28 75 07 f7 70 92 02 4c 68 8c 02
(52): 12 54 01 80 e6 f9 f1 58 6f f6 93 80 cc 0f a0 06
(52): 3b 18 db fc 70 48 0c 33 13 3b 97 5b 28 83 c3 2d
(52): b7 15 54 98 1e 90 ba 01 33 13 83 c1 9d 06 49 26
(52): cd 0a 62 10 5c 80 c5 d1 56 7e c4 ee 40 8a 0b ee
(52): be ba 24 f0
(52): N(52): Next payload: VID, reserved: 0x0, length: 68
(52):
(52): 06 7b ac d6 f7 54 48 3b 14 06 cd fb cd 3f 84 2a
(52): 9e 2b ac 8e 8c db 0a a0 82 26 7d 91 2b 3b 12 ac
(52): c9 1c 86 28 a5 4d 21 17 ca 31 02 9d f1 f9 cb fe
(52): 6e 73 52 a5 6e 62 a1 96 4c 21 d5 69 33 2e 62 6f
(52): VID(52): Next payload: VID, reserved: 0x0, length: 23
(52):
(52): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(52): 53 4f 4e
(52): VID(52): Next payload: NOTIFY, reserved: 0x0, length: 59
(52):
(52): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(52): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(52): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(52): 73 2c 20 49 6e 63 2e
(52): NOTIFY(NAT_DETECTION_SOURCE_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(52):
(52): da 62 7f 5d 42 9b fc 69 1a b8 63 d5 93 79 cb 91
(52): cb 6f 7d ae
(52): NOTIFY(NAT_DETECTION_DESTINATION_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(52):
(52): 93 e6 a8 44 bd ef 17 64 fa 89 df ec 7a 32 14 7d
(52): 13 98 8c 60
(52): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(52): Next payload: VID, reserved: 0x0, length: 8
(52): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(52): VID(52): Next payload: NONE, reserved: 0x0, length: 20
(52):
(52): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(52):
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (52): Insert SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 0
(52): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: SA, version: 2.0 (52): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (52): Message id: 0, length: 399(52):
Payload contents:
(52): SA(52): Next payload: KE, reserved: 0x0, length: 48
(52): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(52): KE(52): Next payload: N, reserved: 0x0, length: 140
(52): DH group: 21, Reserved: 0x0
(52):
(52): 00 11 d7 a0 23 bb 06 1d a0 fe 67 ae 30 e6 07 62
(52): e5 cd 11 ff 1e 7b 6c 43 57 95 cf c1 ee cb 3f 7b
(52): 62 c4 7b a7 6f 4a 77 bd 87 c7 b6 7b fe d0 ba ef
(52): 95 9a b5 49 fa b5 87 e0 67 fb ac 34 f9 0d 52 5a
(52): 63 49 00 d3 2b a1 70 08 ae 74 57 1a 47 38 fb 40
(52): 38 9f 55 0c 6b b5 26 97 0d e1 d6 d4 90 f8 7c 5e
(52): 41 ec 71 d5 1d 88 c0 dd ad d2 3f 80 e8 08 98 15
(52): c1 5c 0c aa 7c 17 d6 67 b4 5b c2 4e 48 5c 41 2a
(52): f9 0c a6 bb
(52): N(52): Next payload: VID, reserved: 0x0, length: 24
(52):
(52): 6b 0a 21 e2 be 7c a9 b8 16 c0 17 18 aa 0c c5 86
(52): 33 e4 67 ff
(52): VID(52): Next payload: VID, reserved: 0x0, length: 23
(52):
(52): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(52): 53 4f 4e
(52): VID(52): Next payload: VID, reserved: 0x0, length: 59
(52):
(52): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(52): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(52): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(52): 73 2c 20 49 6e 63 2e
(52): VID(52): Next payload: NOTIFY, reserved: 0x0, length: 21
(52):
(52): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(52): 44
(52): NOTIFY(NAT_DETECTION_SOURCE_IP)(52): Next payload: NOTIFY, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(52):
(52): 7c 77 69 e7 da 6b 0c 13 e5 f7 09 c8 41 a7 5b 7a
(52): 75 e8 21 7f
(52): NOTIFY(NAT_DETECTION_DESTINATION_IP)(52): Next payload: NONE, reserved: 0x0, length: 28
(52): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(52):
(52): bb 30 33 e1 f7 cb 36 57 00 2f 33 99 b3 52 c0 c0
(52): 66 e6 9a 5d
(52):
(52): Decrypted packet:(52): Data: 399 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (52): Verify SA init message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (52): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (52): Process NAT discovery notify
IKEv2-PROTO-7: (52): Processing nat detect src notify
IKEv2-PROTO-7: (52): Remote address matched
IKEv2-PROTO-7: (52): Processing nat detect dst notify
IKEv2-PROTO-7: (52): Local address matched
IKEv2-PROTO-7: (52): No NAT found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (52): Checking NAT discovery
IKEv2-PROTO-4: (52): NAT not found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (52): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 21
IKEv2-PROTO-4: (52): Request queued for computation of DH secret
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (52): Generate skeyid
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (52): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (52): Completed SA init exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (52): Generate my authentication data
IKEv2-PROTO-4: (52): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (52): Get my authentication method
IKEv2-PROTO-4: (52): My authentication method is 'PSK'
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (52): Generating IKE_AUTH message
IKEv2-PROTO-4: (52): Constructing IDi payload: 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PROTO-4: (52): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
(52): AES-CBC(52): SHA256(52): Don't use ESNIKEv2-PROTO-4: (52): Building packet for encryption.
(52):
Payload contents:
(52): VID(52): Next payload: IDi, reserved: 0x0, length: 20
(52):
(52): 0e ec d7 ae f3 63 e7 a1 47 83 64 83 5f d6 5a 46
(52): IDi(52): Next payload: AUTH, reserved: 0x0, length: 12
(52): Id type: IPv4 address, Reserved: 0x0 0x0
(52):
(52): cd 8a ab b6
(52): AUTH(52): Next payload: SA, reserved: 0x0, length: 40
(52): Auth method PSK, reserved: 0x0, reserved 0x0
(52): Auth data: 32 bytes
(52): SA(52): Next payload: TSi, reserved: 0x0, length: 44
(52): last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3(52): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(52): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(52): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(52): TSi(52): Next payload: TSr, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.5, end addr: 10.84.249.5
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.0, end addr: 10.84.249.255
(52): TSr(52): Next payload: NOTIFY, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.254, end addr: 192.168.200.254
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.0, end addr: 192.168.200.255
(52): NOTIFY(INITIAL_CONTACT)(52): Next payload: NOTIFY, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(52): NOTIFY(ESP_TFC_NO_SUPPORT)(52): Next payload: NOTIFY, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(52): NOTIFY(NON_FIRST_FRAGS)(52): Next payload: NONE, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 1
(52): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: IKE_AUTH, flags: INITIATOR (52): Message id: 1, length: 288(52):
Payload contents:
(52): ENCR(52): Next payload: VID, reserved: 0x0, length: 260
(52): Encrypted data: 256 bytes
(52):
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 1
(52): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (52): Message id: 1, length: 160(52):
Payload contents:
(52):
(52): Decrypted packet:(52): Data: 160 bytes
(52): REAL Decrypted packet:(52): Data: 80 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (52): Process auth response notify
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (52): Searching policy based on peer's identity 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PLAT-4: (52): Site to Site connection detected
IKEv2-PLAT-4: (52): P1 ID = 0
IKEv2-PLAT-4: (52): Translating IKE_ID_AUTO to = 255
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (52): Verify peer's policy
IKEv2-PROTO-4: (52): Peer's policy verified
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (52): Get peer's authentication method
IKEv2-PROTO-4: (52): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (52): Get peer's preshared key for xxxxxxxxxxx
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (52): Verify peer's authentication data
IKEv2-PROTO-4: (52): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-4: (52): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (52): Check for EAP exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PLAT-4: (52): Completed authentication for connection
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (52): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (52): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
IKEv2-PROTO-4: (52): Session with IKE ID PAIR (xxxxxxxxxxx, xxxxxxxxxxx) is UP
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PLAT-4: (52): connection auth hdl set to 155
IKEv2-PLAT-4: (52): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PLAT-4: (52): idle timeout set to: 30
IKEv2-PLAT-4: (52): session timeout set to: 0
IKEv2-PLAT-4: (52): group policy set to .DefaultS2SGroupPolicy
IKEv2-PLAT-4: (52): class attr set
IKEv2-PLAT-4: (52): tunnel protocol set to: 0x44
IKEv2-PLAT-4: (52): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (52): group lock set to: none
IKEv2-PLAT-4: (52): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (52): connection attributes set valid to TRUE
IKEv2-PLAT-4: (52): Successfully retrieved conn attrs
IKEv2-PLAT-4: (52): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (52): connection auth hdl set to -1
IKEv2-PROTO-4: (52): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (52): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (52): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (52): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (52): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (52): Sending DELETE INFO message for IKEv2 SA [ISPI: 0x0CECD6AEE05414E6 RSPI: 0x593DA05596C4ACEA]
IKEv2-PROTO-4: (52): Building packet for encryption.
(52):
Payload contents:
(52): DELETE(52): Next payload: NONE, reserved: 0x0, length: 8
(52): Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PLAT-4: (52): Encrypt success status returned via ipc 1
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (52): Checking if request will fit in peer window
(52):
IKEv2-PROTO-4: (52): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 2
(52): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: INFORMATIONAL, flags: INITIATOR (52): Message id: 2, length: 80(52):
Payload contents:
(52): ENCR(52): Next payload: DELETE, reserved: 0x0, length: 52
(52): Encrypted data: 48 bytes
(52):
IKEv2-PLAT-5: (52): SENT PKT [INFORMATIONAL] [xxxxxxxxxxx]:500->[xxxxxxxxxxx]:500 InitSPI=0x0cecd6aee05414e6 RespSPI=0x593da05596c4acea MID=00000002
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (52): Check for existing active SA
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-4: (52): Delete all IKE SAs
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(52):
IKEv2-PROTO-4: (52): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(52): Initiator SPI : 0CECD6AEE05414E6 - Responder SPI : 593DA05596C4ACEA Message id: 2
(52): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (52): Next payload: ENCR, version: 2.0 (52): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (52): Message id: 2, length: 80(52):
Payload contents:
IKEv2-PLAT-4: (52): Decrypt success status returned via ipc 1
(52):
(52): Decrypted packet:(52): Data: 80 bytes
(52): REAL Decrypted packet:(52): Data: 8 bytes
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (52): Processing ACK to informational exchange
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-7: (52): Action: Action_Null
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (52): Deleting SA
IKEv2-PLAT-4: (52): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-4: (52): session manager killed ikev2 tunnel. Reason: Internal Error
IKEv2-PLAT-4: (52): Deleted associated IKE flow: Outside, xxxxxxxxxxx:62465 <-> xxxxxxxxxxx:62465
IKEv2-PLAT-4: (52): PSH cleanup

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Makoon

‎04-27-2024 01:04 AM

thanks for more info. 

I know it hard and long but it need to detect issue here 
1-use same debug but one ping from FW LAN and other time from IOS XE LAN, let see if we change the initiator is that effect the IKEv2 or not 

2- Use one IKEv2 SA under FW dont use multi SA (i.e. one protect network not multi), and also do ping one from each side 

3-in two steps above please run

debug crypto ikev2 internal
show crypto ikev2 sa detail  

in router, since the notify is receive from the FW it can the router is End the VPN and have Error we can see in debug and show command 

waiting your reply 

MHM




View solution in original post

0 Helpful
16 Replies 16

Go to solution
Rob Ingram
VIP
VIP

‎04-26-2024 01:37 AM

@Makoon on the IOS router use the no config-exchange request command in the IKEv2 profile configuration mode to disable configuration exchange options

crypto ikev2 profile profile-v2
 no config-exchange request

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/vpn/asa-920-vpn-config/vpn-vti.html

 

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-26-2024 01:49 AM - edited ‎04-26-2024 01:50 AM

Site2 have no crypto map or crypto ipsec profile ? or you missing add it ?

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

this guide how you config it 
also notice how ASA detect Peer-id

MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight

‎04-26-2024 01:49 AM

Hard to say. From the debug it appears that IKEv2 SA comes up and then is immediately deleted:

IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (52): SM Trace-> SA: I_SPI=0CECD6AEE05414E6 R_SPI=593DA05596C4ACEA (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (52): Queuing IKE SA delete request reason: unknown

Note that you have overlapping crypto ACL lines:

(52): TSi(52): Next payload: TSr, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.5, end addr: 10.84.249.5
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 10.84.249.0, end addr: 10.84.249.255

(52): TSr(52): Next payload: NOTIFY, reserved: 0x0, length: 40
(52): Num of TSs: 2, reserved 0x0, reserved 0x0
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.254, end addr: 192.168.200.254
(52): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(52): start port: 0, end port: 65535
(52): start addr: 192.168.200.0, end addr: 192.168.200.255

So, verify crypto ACLs.

Also, to be on the safe side add the following, but this is NOT the root cause of the failure:

crypto ikev2 profile profile-v2
 no config-exchange request

If above doesn't help, add "debug crypto ipsec" to IKEv2 debugs and collect them simultaneously on both sides.

 

0 Helpful

Go to solution
Makoon
Level 1
Level 1

‎04-26-2024 03:07 AM

Thanks all for the response, highly appreciate the help

My apology I had missed posting below

crypto map MAP-xxxxxxx ipsec-isakmp
set peer 2x
set security-association lifetime seconds 28800
set transform-set Txxxx
match address 150

crypto ipsec transform-set Txxxxxx esp-aes 256 esp-sha256-hmac

Also I will suggest the below and perform the debug as suggested.

no config-exchange request

Go to solution
MHM Cisco World
VIP
VIP
In response to Makoon

‎04-26-2024 03:31 AM

show vpn sessiondb l2l detail 
show crypto ikev2 sa 
share this from ASA side 

MHM

0 Helpful

Go to solution
Makoon
Level 1
Level 1

‎04-26-2024 03:43 AM

Thank-you, FYI we are using Site1 using FTD and site2 (client side) using Cisco 891F.

Thus, not much of output per below from FTD side.

# show vpn-sessiondb l2l ?

filter Filter criteria
sort Sort Criteria
| Output modifiers
<cr>
# show vpn-sessiondb l2l
INFO: There are presently no active sessions

# show crypto ikev2 sa

There are no IKEv2 SAs

Go to solution
MHM Cisco World
VIP
VIP
In response to Makoon

‎04-26-2024 03:46 AM - edited ‎04-26-2024 03:46 AM

you need to ping from LAN to LAN then run above command 

MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎04-26-2024 07:58 AM

Of course, the output is empty, because IKEv2 SA is deleted right after successful negotiation.

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Makoon

‎04-26-2024 02:22 PM - edited ‎04-26-2024 02:31 PM

you debug the platform what we need it debug protocol and make the number 64 not need 127 nor 255 since the IKEv2 never pass phaseI

anyway the point that I was want to check is this 

IKEv2-PLAT-4: (52): idle timeout set to: 30
IKEv2-PLAT-4: (52): session timeout set to: 0
IKEv2-PLAT-4: (52): group policy set to .DefaultS2SGroupPolicy
IKEv2-PLAT-4: (52): class attr set
IKEv2-PLAT-4: (52): tunnel protocol set to: 0x44 <<-
IKEv2-PLAT-4: (52): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (52): group lock set to: none
IKEv2-PLAT-4: (52): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (52): connection attributes set valid to TRUE
IKEv2-PLAT-4: (52): Successfully retrieved conn attrs
IKEv2-PLAT-4: (52): Session registration after conn attr retrieval PASSED, No error

I run lab this value is different ?

Screenshot (365).png

so run 

debug crypto ikev2 protocol 64

share here and check group-policy via 
show run all group-policy

and share

show crypto ikev2 sa <<- immediate after ping from LAN to LAN 

MHM

0 Helpful

Go to solution
Makoon
Level 1
Level 1

‎04-26-2024 09:10 PM

Thank-you! I had tried the ping immediately after the ping but still output below...(Done multiple times but no luck whilst pinging)

# show crypto ikev2 sa

There are no IKEv2 SAs

And per below, the debug output via "debug crypto ikev2 protocol 64"

IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (546): Setting configured policies
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (546): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21
IKEv2-PROTO-4: (546): Request queued for computation of DH key
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (546): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (546): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 7
(546): AES-CBC(546): AES-CBC(546): SHA256(546): SHA256(546): DH_GROUP_521_ECP/Group 21(546): DH_GROUP_256_ECP/Group 19(546): DH_GROUP_2048_MODP/Group 14(546):
IKEv2-PROTO-4: (546): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 0000000000000000 Message id: 0
(546): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (546): Next payload: SA, version: 2.0 (546): Exchange type: IKE_SA_INIT, flags: INITIATOR (546): Message id: 0, length: 478(546):
Payload contents:
(546): SA(546): Next payload: KE, reserved: 0x0, length: 76
(546): last proposal: 0x0, reserved: 0x0, length: 72
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 7(546): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(546): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(546): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(546): KE(546): Next payload: N, reserved: 0x0, length: 140
(546): DH group: 21, Reserved: 0x0
(546):
(546): 00 f4 58 7f cc 83 94 db 80 d1 a4 21 d3 4b 6b 35
(546): 92 2f b9 23 ac ab 31 48 5b 44 37 9b 58 fb 50 6f
(546): a5 6b 54 4c db 6f d8 a2 54 00 5f e7 48 3d f1 bb
(546): 89 fa 8f 30 c8 06 c9 d4 8c 54 d0 a5 62 92 63 34
(546): a5 af 00 a0 23 4f ed 64 c7 fc 2b 3e 8d 5a 10 a1
(546): 3d d3 41 d9 b4 5b d8 8c 4c f0 b9 b3 38 ff be b2
(546): e5 06 50 8d 2e e1 fa 5a 35 da 53 d8 d8 87 f9 6d
(546): fa 64 ec bc 02 5d 40 8b 17 88 dd ab 9b e3 06 60
(546): c6 83 23 cc
(546): N(546): Next payload: VID, reserved: 0x0, length: 68
(546):
(546): 79 9d b9 d8 dd 2d 60 bd e3 22 60 c3 82 a6 d7 dc
(546): cc c4 78 ff f1 92 d1 bc f6 58 b8 90 10 ed bf 42
(546): 5f 2b 81 b3 f6 9f 18 32 a6 65 41 46 4f d7 ea 2e
(546): 32 20 b7 26 4c 83 77 c3 15 01 01 ae f6 b7 94 c5
(546): VID(546): Next payload: VID, reserved: 0x0, length: 23
(546):
(546): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(546): 53 4f 4e
(546): VID(546): Next payload: NOTIFY, reserved: 0x0, length: 59
(546):
(546): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(546): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(546): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(546): 73 2c 20 49 6e 63 2e
(546): NOTIFY(NAT_DETECTION_SOURCE_IP)(546): Next payload: NOTIFY, reserved: 0x0, length: 28
(546): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(546):
(546): b4 82 d3 43 43 3d 08 7f 64 2e f6 af e6 84 23 69
(546): 5d d9 cc 0b
(546): NOTIFY(NAT_DETECTION_DESTINATION_IP)(546): Next payload: NOTIFY, reserved: 0x0, length: 28
(546): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(546):
(546): 21 77 10 df 5e 0e 13 5c a7 92 79 e2 a2 85 29 34
(546): fc b0 16 42
(546): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(546): Next payload: VID, reserved: 0x0, length: 8
(546): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(546): VID(546): Next payload: NONE, reserved: 0x0, length: 20
(546):
(546): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(546):
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (546): Insert SA
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
(546):
IKEv2-PROTO-4: (546): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 875520BCC3BBDB9B Message id: 0
(546): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (546): Next payload: SA, version: 2.0 (546): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (546): Message id: 0, length: 399(546):
Payload contents:
(546): SA(546): Next payload: KE, reserved: 0x0, length: 48
(546): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(546): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(546): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(546): KE(546): Next payload: N, reserved: 0x0, length: 140
(546): DH group: 21, Reserved: 0x0
(546):
(546): 01 29 79 48 46 88 33 b8 0c 0e e3 0e b4 5f a4 38
(546): 26 36 39 2d 9e 8c 9d c6 f0 6a 2b d4 0b bd 4a 81
(546): e7 03 88 6b 53 94 8d 82 67 24 b8 86 88 93 3b 92
(546): 7f 72 8b 5e 68 8d 9c 10 ef b4 e0 d6 19 e8 be 83
(546): 50 32 01 e3 6f 4e 23 87 01 06 d2 78 bf b5 6e 8b
(546): be 54 16 a1 45 ed ec 0c 92 81 6b 90 89 b0 5e 17
(546): ad 10 11 a9 89 f3 0f db 91 b7 9e dd 72 73 8f 87
(546): 33 aa c0 e4 a7 ad d2 f3 94 97 2c eb cd 03 5a 23
(546): 21 31 d9 c9
(546): N(546): Next payload: VID, reserved: 0x0, length: 24
(546):
(546): 31 cf 60 25 a7 fd 21 63 dc 97 5c fb 35 c9 47 44
(546): df aa 39 23
(546): VID(546): Next payload: VID, reserved: 0x0, length: 23
(546):
(546): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(546): 53 4f 4e
(546): VID(546): Next payload: VID, reserved: 0x0, length: 59
(546):
(546): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(546): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(546): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(546): 73 2c 20 49 6e 63 2e
(546): VID(546): Next payload: NOTIFY, reserved: 0x0, length: 21
(546):
(546): 46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
(546): 44
(546): NOTIFY(NAT_DETECTION_SOURCE_IP)(546): Next payload: NOTIFY, reserved: 0x0, length: 28
(546): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(546):
(546): d1 e1 3a a8 17 b8 b4 78 75 bc ad 30 00 99 e9 95
(546): 8e 78 fa 8b
(546): NOTIFY(NAT_DETECTION_DESTINATION_IP)(546): Next payload: NONE, reserved: 0x0, length: 28
(546): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(546):
(546): f7 dd 55 57 2b 35 b4 e1 a1 47 43 7c b0 6d 71 3a
(546): 96 bd d5 e1
(546):
(546): Decrypted packet:(546): Data: 399 bytes
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-7: (546): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (546): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-4: (546): Verify SA init message
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-4: (546): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-7: (546): Process NAT discovery notify
IKEv2-PROTO-7: (546): Processing nat detect src notify
IKEv2-PROTO-7: (546): Remote address matched
IKEv2-PROTO-7: (546): Processing nat detect dst notify
IKEv2-PROTO-7: (546): Local address matched
IKEv2-PROTO-7: (546): No NAT found
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-4: (546): Checking NAT discovery
IKEv2-PROTO-4: (546): NAT not found
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (546): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 21
IKEv2-PROTO-4: (546): Request queued for computation of DH secret
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-7: (546): Generate skeyid
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-7: (546): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-4: (546): Completed SA init exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (546): Check for EAP exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-4: (546): Generate my authentication data
IKEv2-PROTO-4: (546): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (546): Get my authentication method
IKEv2-PROTO-4: (546): My authentication method is 'PSK'
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-4: (546): Check for EAP exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-4: (546): Generating IKE_AUTH message
IKEv2-PROTO-4: (546): Constructing IDi payload: 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PROTO-4: (546): ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 4
(546): AES-CBC(546): AES-CBC(546): SHA256(546): Don't use ESNIKEv2-PROTO-4: (546): Building packet for encryption.
(546):
Payload contents:
(546): VID(546): Next payload: IDi, reserved: 0x0, length: 20
(546):
(546): d4 87 c1 0c 6e 2e f9 d4 74 20 54 4d 0d 20 e5 4e
(546): IDi(546): Next payload: AUTH, reserved: 0x0, length: 12
(546): Id type: IPv4 address, Reserved: 0x0 0x0
(546):
(546): cd 8a ab b6
(546): AUTH(546): Next payload: SA, reserved: 0x0, length: 40
(546): Auth method PSK, reserved: 0x0, reserved 0x0
(546): Auth data: 32 bytes
(546): SA(546): Next payload: TSi, reserved: 0x0, length: 56
(546): last proposal: 0x0, reserved: 0x0, length: 52
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 4(546): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(546): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(546): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(546): last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
(546): TSi(546): Next payload: TSr, reserved: 0x0, length: 40
(546): Num of TSs: 2, reserved 0x0, reserved 0x0
(546): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(546): start port: 0, end port: 65535
(546): start addr: 10.84.249.5, end addr: 10.84.249.5
(546): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(546): start port: 0, end port: 65535
(546): start addr: 10.84.249.0, end addr: 10.84.249.255
(546): TSr(546): Next payload: NOTIFY, reserved: 0x0, length: 40
(546): Num of TSs: 2, reserved 0x0, reserved 0x0
(546): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(546): start port: 0, end port: 65535
(546): start addr: 192.168.200.5, end addr: 192.168.200.5
(546): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(546): start port: 0, end port: 65535
(546): start addr: 192.168.200.0, end addr: 192.168.200.255
(546): NOTIFY(INITIAL_CONTACT)(546): Next payload: NOTIFY, reserved: 0x0, length: 8
(546): Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
(546): NOTIFY(ESP_TFC_NO_SUPPORT)(546): Next payload: NOTIFY, reserved: 0x0, length: 8
(546): Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
(546): NOTIFY(NON_FIRST_FRAGS)(546): Next payload: NONE, reserved: 0x0, length: 8
(546): Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_TRYSEND
(546):
IKEv2-PROTO-4: (546): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 875520BCC3BBDB9B Message id: 1
(546): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (546): Next payload: ENCR, version: 2.0 (546): Exchange type: IKE_AUTH, flags: INITIATOR (546): Message id: 1, length: 304(546):
Payload contents:
(546): ENCR(546): Next payload: VID, reserved: 0x0, length: 276
(546): Encrypted data: 272 bytes
(546):
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_BLD_AUTH Event: EV_CHK_EAP_POST_ASYNC
IKEv2-PROTO-4: (546): Check for EAP exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
(546):
IKEv2-PROTO-4: (546): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 875520BCC3BBDB9B Message id: 1
(546): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (546): Next payload: ENCR, version: 2.0 (546): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (546): Message id: 1, length: 160(546):
Payload contents:
(546):
(546): Decrypted packet:(546): Data: 160 bytes
(546): REAL Decrypted packet:(546): Data: 80 bytes
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-4: (546): Process auth response notify
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_PROC_MSG
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (546): Searching policy based on peer's identity 'xxxxxxxxxxx' of type 'IPv4 address'
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
IKEv2-PROTO-4: (546): Verify peer's policy
IKEv2-PROTO-4: (546): Peer's policy verified
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-4: (546): Get peer's authentication method
IKEv2-PROTO-4: (546): Peer's authentication method is 'PSK'
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
IKEv2-PROTO-4: (546): Get peer's preshared key for xxxxxxxxxxx
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-4: (546): Verify peer's authentication data
IKEv2-PROTO-4: (546): Use preshared key for id xxxxxxxxxxx, key len 10
IKEv2-PROTO-4: (546): Verification of peer's authenctication data PASSED
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-4: (546): Check for EAP exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_IC
IKEv2-PROTO-4: (546): Processing INITIAL_CONTACT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE
IKEv2-PROTO-4: (546): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
IKEv2-PROTO-4: (546): Session with IKE ID PAIR (xxxxxxxxxxx, xxxxxxxxxxx) is UP
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT
IKEv2-PROTO-4: (546): Initializing DPD, configured for 10 seconds
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (546): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (546): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_CHK_IKE_ONLY
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_DEL_SA
IKEv2-PROTO-4: (546): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (546): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (546): Sending DELETE INFO message for IKEv2 SA [ISPI: 0xD687C00C7D190A93 RSPI: 0x875520BCC3BBDB9B]
IKEv2-PROTO-4: (546): Building packet for encryption.
(546):
Payload contents:
(546): DELETE(546): Next payload: NONE, reserved: 0x0, length: 8
(546): Security protocol id: IKE, spi size: 0, num of spi: 0
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_NO_EVENT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_TRYSEND
IKEv2-PROTO-4: (546): Checking if request will fit in peer window
(546):
IKEv2-PROTO-4: (546): Sending Packet [To xxxxxxxxxxx:500/From xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 875520BCC3BBDB9B Message id: 2
(546): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-5: (546): Next payload: ENCR, version: 2.0 (546): Exchange type: INFORMATIONAL, flags: INITIATOR (546): Message id: 2, length: 80(546):
Payload contents:
(546): ENCR(546): Next payload: DELETE, reserved: 0x0, length: 52
(546): Encrypted data: 48 bytes
(546):
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_CHK4_ACTIVE_SA
IKEv2-PROTO-4: (546): Check for existing active SA
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_STOP_ACCT
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_BLD_INFO Event: EV_TERM_CONN
IKEv2-PROTO-4: (546): Delete all IKE SAs
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_NO_EVENT
(546):
IKEv2-PROTO-4: (546): Received Packet [From xxxxxxxxxxx:500/To xxxxxxxxxxx:500/VRF i0:f0]
(546): Initiator SPI : D687C00C7D190A93 - Responder SPI : 875520BCC3BBDB9B Message id: 2
(546): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-5: (546): Next payload: ENCR, version: 2.0 (546): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (546): Message id: 2, length: 80(546):
Payload contents:
(546):
(546): Decrypted packet:(546): Data: 80 bytes
(546): REAL Decrypted packet:(546): Data: 8 bytes
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_RECV_INFO_ACK
IKEv2-PROTO-4: (546): Processing ACK to informational exchange
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: INFO_I_WAIT Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: DELETE Event: EV_RECV_DEL_ACK
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000002 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-4: (546): Deleting SA

Also the output via "show run all group-policy"

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
security-group-tag none
periodic-authentication certificate none
no vpn-simultaneous-login-delete-no-delay
client-firewall none
client-access-rule none
---snip anyconnect policy----
group-policy .DefaultS2SGroupPolicy internal
group-policy .DefaultS2SGroupPolicy attributes
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev1 ikev2
no vpn-simultaneous-login-delete-no-delay

 

 

Go to solution
tvotna
Spotlight
Spotlight
In response to Makoon

‎04-27-2024 12:53 AM

@Makoon, As I said before, IKEv2 SA comes up and then is immediately deleted, that is why you don't see it in the output. The reason printed in the debug is UNKNOWN. Then DELETE NOTIFY is sent to the peer. Refer to my post above.

IKEv2-PROTO-4: (546): Queuing IKE SA delete request reason: unknown
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_FREE_NEG
IKEv2-PROTO-7: (546): Deleting negotiation context for my message ID: 0x1
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: READY Event: EV_DELETE
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: DELETE Event: EV_DELETE
IKEv2-PROTO-7: (546): Action: Action_Null
IKEv2-PROTO-7: (546): SM Trace-> SA: I_SPI=D687C00C7D190A93 R_SPI=875520BCC3BBDB9B (I) MsgID = 00000001 CurState: INFO_I_BLD_INFO Event: EV_SND_SA_DEL
IKEv2-PROTO-4: (546): Sending DELETE INFO message for IKEv2 SA [ISPI: 0xD687C00C7D190A93 RSPI: 0x875520BCC3BBDB9B]
IKEv2-PROTO-4: (546): Building packet for encryption.
(546):
Payload contents:
(546): DELETE(546): Next payload: NONE, reserved: 0x0, length: 8

Since the reason is UNKNOWN, you need to collect "debug crypto ipsec" at a certain level, e.g. "debug crypto ipsec 7" to begin with. Typically debug is collected on both sides, because IKEv2 is a bit complicated protocol, so nobody can be completely sure what is happening in it if we see only half of the picture. There are many other troubleshooting steps which can be tried next, if above steps don't help.

More comprehensive debug (except packet dumps) can be collected as follows. Debug crypto condition is only needed if you have several tunnels on the box.

debug crypto condition peer <IP>
debug crypto ike-common 254
debug crypto ikev2 protocol 254
debug crypto ikev2 platform 254
debug crypto ipsec 254
debug vpn-sessiondb 255

And of course, verify your IPSec config on both sides, e.g. crypto ACLs, etc. Post relevant configs from both sides here.

HTH

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Makoon

‎04-27-2024 01:04 AM

thanks for more info. 

I know it hard and long but it need to detect issue here 
1-use same debug but one ping from FW LAN and other time from IOS XE LAN, let see if we change the initiator is that effect the IKEv2 or not 

2- Use one IKEv2 SA under FW dont use multi SA (i.e. one protect network not multi), and also do ping one from each side 

3-in two steps above please run

debug crypto ikev2 internal
show crypto ikev2 sa detail  

in router, since the notify is receive from the FW it can the router is End the VPN and have Error we can see in debug and show command 

waiting your reply 

MHM




0 Helpful

Go to solution
Makoon
Level 1
Level 1

‎04-27-2024 06:32 PM

Thanks both! Understood, I will reach out to the peer for suggested debug. However due to weekend, not sure when will I get the response and to troubleshoot. Let me chase and revert here. Again many thanks for all the suggestion and professional advise.

FYI - below is the output of debug crypto ipsec 7

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.84.249.5, sport=16493, daddr=192.168.200.5, dport=16493
IPSEC(crypto_map_check)-3: Checking crypto map CSM_Outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.84.249.5, sport=16493, daddr=192.168.200.5, dport=16493
IPSEC(crypto_map_check)-3: Checking crypto map CSM_Outside_map 1: matched.
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x2ABB8FB3
IPSEC: New embryonic SA created @ 0x000000ffe4158050,
SCB : 0xD07579E0,
Direction : inbound
SPI : 0x4BD81B3D
Session ID : 0x000DA000
VPIF num : 0x00000005
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
SA handle : 0x2ABB8FB3
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x4BD81B3D)
IPSEC DEBUG: Inbound SA (SPI 0x4BD81B3D) destroy started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x4BD81B3D) free started, state embryonic
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Setting an IPSec timer of type SA Purge Timer for 30 seconds with a jitter value of 0
IPSEC INFO: IPSec SA PURGE timer started SPI 0x2ABB8FB3
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC DEBUG: Inbound SA (SPI 0x4BD81B3D) free completed
IPSEC DEBUG: Inbound SA (SPI 0x4BD81B3D) destroy completed

0 Helpful

Go to solution
Makoon
Level 1
Level 1

‎05-01-2024 04:07 AM

Hi MHM / TVOTNA

Many thanks for the help! I had confirmed with the end peer that their configuration was not 100 percent built. Per this conversation details, I was able to talk with peer and able to pin point this.

Again many thanks and currently VPN is up and running!

Customers Also Viewed These Support Documents