Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
1
Helpful
6
Replies

Two VPN sessions being created to same destination, BGP not coming up.

Go to solution
NetworkMonkey101
Level 1
Level 1

‎01-15-2024 02:44 AM

Hi all,

I have created a VPN and seeing strange results. The side I manage shows to sessions connected to the same endpoint with phase 1 up on one session and down on the other. BGP is enabled across the VPN but is also not coming up. 

-------------------------------------------------------------------------------------------------------

Sessions are shown below.

Interface: Tunnel100003

Profile: if-ipsec3-ikev2-profile

Session status: UP-ACTIVE

Peer: 3.11.178.77 port 4500

  Session ID: 11694

  IKEv2 SA: local 10.157.71.129/4500 remote 3.11.178.77/4500 Active

  Session ID: 11696

  IKEv2 SA: local 10.157.71.129/4500 remote 3.11.178.77/4500 Active

  IPSEC FLOW: permit ip 192.168.88.0/255.255.252.0 192.168.238.128/255.255.255.224

        Active SAs: 1318, origin: crypto map

 

Interface: Tunnel100003

Session status: DOWN

Peer: 3.11.178.77 port 500

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map

-------------------------------------------------------------------------------------------------------

Tunnel IDs

Tunnel-id Local Remote fvrf/ivrf Status
2 10.157.71.129/4500 3.11.178.77/4500 none/100 READY
Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:16, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/7434 sec

Tunnel-id Local Remote fvrf/ivrf Status
3 10.157.71.129/4500 3.11.178.77/4500 none/100 READY
Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA384, DH Grp:16, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/3692 sec

--------------------------------------------------------------------------------------------------------

Show run

crypto ikev2 keyring if-ipsec3-ikev2-keyring
peer if-ipsec3-ikev2-keyring-peer
address 3.11.178.77
pre-shared-key 6 XXXXXXXXXXXXXXX (blanked out)

crypto ikev2 profile if-ipsec3-ikev2-profile
match identity remote address 3.11.178.77 255.255.255.255
identity local address 194.32.41.146
authentication remote pre-share
authentication local pre-share
keyring local if-ipsec3-ikev2-keyring
lifetime 28800
dpd 10 10 on-demand
no config-exchange request

crypto ipsec profile if-ipsec3-ipsec-profile
set security-association lifetime kilobytes disable
set security-association replay window-size 512
set transform-set if-ipsec3-ikev2-transform
set pfs group16
set ikev2-profile if-ipsec3-ikev2-profile

---------------------------------------------------------------

IPSEC show commands - Tunnel 3 is creating mutliple SAs

interface: Tunnel100003
Crypto map tag: Tunnel100003-head-0, local addr 10.157.71.129

protected vrf: 100
local ident (addr/mask/prot/port): (192.168.88.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.238.128/255.255.255.224/0/0)
current_peer 3.11.178.77 port 4500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.157.71.129, remote crypto endpt.: 3.11.178.77
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0.1000
current outbound spi: 0xCE632B24(3462605604)
PFS (Y/N): Y, DH group: group16

inbound esp sas:
spi: 0x4CE88AB9(1290308281)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30737, flow_id: HW:28737, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 370
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xB205554F(2986693967)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30747, flow_id: HW:28747, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 374
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xE65A1965(3864664421)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30777, flow_id: HW:28777, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 388
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xADAF427F(2913944191)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30811, flow_id: HW:28811, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 402
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xED31A470(3979453552)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30833, flow_id: HW:28833, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 416
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xF6B02A9C(4138740380)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30849, flow_id: HW:28849, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 429
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xBBF47A47(3153361479)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30875, flow_id: HW:28875, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 443
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xC0268BF1(3223751665)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30905, flow_id: HW:28905, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 459
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xB511C33D(3037840189)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30943, flow_id: HW:28943, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 475
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x1C87AB95(478653333)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30955, flow_id: HW:28955, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 480
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x1176129(18309417)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30981, flow_id: HW:28981, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 494
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x447DD305(1149096709)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31009, flow_id: HW:29009, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 508
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xC0811DC3(3229687235)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31069, flow_id: HW:29069, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 539
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xA1DF740E(2715776014)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31115, flow_id: HW:29115, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 556
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xAF8408D9(2944665817)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31129, flow_id: HW:29129, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 563
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x394997F7(961124343)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31175, flow_id: HW:29175, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 582
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x4844C1AA(1212465578)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31213, flow_id: HW:29213, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 599
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x7ED31C12(2127764498)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31241, flow_id: HW:29241, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 614
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x9BB21B8B(2612140939)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31251, flow_id: HW:29251, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 617
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x3B262ADD(992357085)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31293, flow_id: HW:29293, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 641
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x58676DA5(1483173285)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31325, flow_id: HW:29325, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 655
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x5D51C13A(1565638970)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31345, flow_id: HW:29345, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 669
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x2B95354F(731198799)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31365, flow_id: HW:29365, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 677
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x85AC336A(2242655082)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31401, flow_id: HW:29401, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 696
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xA5FA2E5F(2784636511)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31449, flow_id: HW:29449, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 715
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0x4A4D4F9A(1246580634)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31469, flow_id: HW:29469, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 725
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xF0AECC51(4037987409)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31511, flow_id: HW:29511, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 748
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)
spi: 0xCC8B18EB(3431667947)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31545, flow_id: HW:29545, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100003-head-0
sa timing: remaining key lifetime (sec): 765
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE(ACTIVE)

protected vrf: 100
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.11.178.77 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 260563, #recv errors 0

local crypto endpt.: 10.157.71.129, remote crypto endpt.: 3.11.178.77
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthern et0/0/0.1000
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

Any ideas cause on this?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to NetworkMonkey101

‎01-15-2024 06:19 AM - edited ‎01-15-2024 06:25 AM

Crypto map tag: Tunnel100003-head-0, local addr 10.157.71.129

protected vrf: 100
local ident (addr/mask/prot/port): (192.168.88.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.238.128/255.255.255.224/0/0)
there is something wrong 
the IPSec for Tunnel not use proxy it must appear as 0.0.0.0
what is other Peer Vendor is it palo Azure ?
MHM

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎01-15-2024 02:58 AM

Can you share the tunnel config 

MHM

0 Helpful

Go to solution
NetworkMonkey101
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2024 03:46 AM

Which show command/s would display the correct tunnel config?

 

interface Tunnel100003
vrf forwarding 100
ip address 169.254.14.66 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1379
tunnel source 10.157.71.129
tunnel mode ipsec ipv4
tunnel destination 3.11.178.77
tunnel path-mtu-discovery
tunnel protection ipsec profile if-ipsec3-ipsec-profile

0 Helpful

Go to solution
NetworkMonkey101
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2024 03:49 AM

Debug output

 

Jan 15 11:47:54.461: IKEv2:(SESSION ID = 11696,SA ID = 3):Sending Packet [To 3.11.178.77:4500/From 10.157.71.129:4500/VRF i0:f0]
Initiator SPI : A98608C628530D34 - Responder SPI : 83DC8E7D7801C6D4 Message id: 54694
IKEv2 CREATE_CHILD_SA Exchange RESPONSE
Payload contents:
ENCR

Jan 15 11:47:54.462: IKEv2-ERROR:(SESSION ID = 11696,SA ID = 3):: Create child exchange failed
Jan 15 11:47:54.462: IKEv2:(SESSION ID = 11696,SA ID = 3):Multiple same IPSec SA create failed
Jan 15 11:47:54.463: IKEv2:(SESSION ID = 11696,SA ID = 3):Abort exchange

Jan 15 11:47:54.988: IKEv2:(SESSION ID = 11696,SA ID = 3):Received Packet [From 3.11.178.77:4500/To 10.157.71.129:4500/VRF i0:f0]
Initiator SPI : A98608C628530D34 - Responder SPI : 83DC8E7D7801C6D4 Message id: 1019
IKEv2 CREATE_CHILD_SA Exchange RESPONSE
Payload contents:
SA N KE TSi TSr

Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):Processing any notify-messages in child SA exchange
Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):Validating create child message
Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):Processing CREATE_CHILD_SA exchange
Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):IPSec policy validate request sent for profile if-ipsec3-ikev2-profile with psh index 3.

Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):(SA ID = 3):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):Checking for PFS configuration
Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):PFS configured, DH group 16
Jan 15 11:47:54.989: IKEv2:(SESSION ID = 11696,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 16
Jan 15 11:47:54.991: IKEv2:(SESSION ID = 11696,SA ID = 3):Request queued for computation of DH secret
Jan 15 11:47:54.996: IKEv2:(SESSION ID = 11696,SA ID = 3):(SA ID = 3):[Crypto Engine -> IKEv2] DH key Computation PASSED
Jan 15 11:47:54.996: IKEv2:(SESSION ID = 11696,SA ID = 3):Checking if IKE SA rekey
Jan 15 11:47:54.996: IKEv2:(SESSION ID = 11696,SA ID = 3):Load IPSEC key material
Jan 15 11:47:54.996: IKEv2:(SESSION ID = 11696,SA ID = 3):(SA ID = 3):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Jan 15 11:47:55.017: IKEv2:(SESSION ID = 11696,SA ID = 3):(SA ID = 3):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Jan 15 11:47:55.017: IKEv2:(SESSION ID = 11696,SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started

Jan 15 11:47:55.147: IKEv2:(SESSION ID = 11696,SA ID = 3):Received Packet [From 3.11.178.77:4500/To 10.157.71.129:4500/VRF i0:f0]
Initiator SPI : A98608C628530D34 - Responder SPI : 83DC8E7D7801C6D4 Message id: 54695
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
SA N KE TSi TSr

Jan 15 11:47:55.147: IKEv2:(SESSION ID = 11696,SA ID = 3):Validating create child message
Jan 15 11:47:55.148: IKEv2:(SESSION ID = 11696,SA ID = 3):Check for create child response message type
Jan 15 11:47:55.148: IKEv2:(SESSION ID = 11696,SA ID = 3):Processing CREATE_CHILD_SA exchange
Jan 15 11:47:55.148: IKEv2:(SESSION ID = 11696,SA ID = 3):IPSec policy validate request sent for profile if-ipsec3-ikev2-profile with psh index 3.

Jan 15 11:47:55.148: IKEv2:(SESSION ID = 11696,SA ID = 3):
Jan 15 11:47:55.148: IKEv2:(SESSION ID = 11696,SA ID = 3):(SA ID = 3):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

Jan 15 11:47:55.148: IKEv2:Checking for duplicate IPsec SA with same proxies
Jan 15 11:47:55.149: IKEv2-ERROR:IPsec SA with same proxies already exists
Jan 15 11:47:55.150: IKEv2-ERROR:(SESSION ID = 11696,SA ID = 3):: IPsec SA with same proxies already exists
Jan 15 11:47:55.150: IKEv2:(SESSION ID = 11696,SA ID = 3):Sending temporary failure notify
Jan 15 11:47:55.150: IKEv2:(SESSION ID = 11696,SA ID = 3):Building packet for encryption.
Payload contents:
NOTIFY(TEMPORARY FAILURE)

Jan 15 11:47:55.150: IKEv2:(SESSION ID = 11696,SA ID = 3):Sending Packet [To 3.11.178.77:4500/From 10.157.71.129:4500/VRF i0:f0]

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to NetworkMonkey101

‎01-15-2024 06:19 AM - edited ‎01-15-2024 06:25 AM

Crypto map tag: Tunnel100003-head-0, local addr 10.157.71.129

protected vrf: 100
local ident (addr/mask/prot/port): (192.168.88.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.238.128/255.255.255.224/0/0)
there is something wrong 
the IPSec for Tunnel not use proxy it must appear as 0.0.0.0
what is other Peer Vendor is it palo Azure ?
MHM

0 Helpful

Go to solution
NetworkMonkey101
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2024 06:27 AM

Yep it’s Azure and required to be set to 0.0.0.0/0 on the peer encryption domain

Go to solution
MHM Cisco World
VIP
VIP
In response to NetworkMonkey101

‎01-15-2024 06:29 AM

You are so so welcome 
MHM

0 Helpful
Customers Also Viewed These Support Documents