[strongSwan] Unstable strongSwan-ASA tunnel

Santiago Lorente sll at disroot.org
Sun Nov 10 02:24:39 CET 2019


Hello, I am new to this list.

I am testing an IPSec VPN between VyOS 1.2.3 and ASAv. Everything is 
fine but not stable, the tunnel periodically restarts after a while. I 
don't have accurate data on how long that stable period is, but I would 
say is always less than 3 hours.

Is there any incompatibility between strongSwan and Cisco ASAv?

Why does the tunnel restart?

Do you have any suggestion on how to fix it?

I'm not an expert, but according to the logs it seems it might have 
something to do with rekeying.

I am attaching logs and configurations.

Thank you!

-------------- next part --------------
vyos at RouterA:~$ show log vpn ipsec | match 23:31
Nov  9 23:31:17 RouterA charon: 06[KNL] creating rekey job for CHILD_SA ESP/0xc10298e5/172.18.201.10
Nov  9 23:31:17 RouterA charon: 06[IKE] establishing CHILD_SA peer-172.18.202.10-tunnel-vti{4} reqid 2
Nov  9 23:31:17 RouterA charon: 06[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No KE TSi TSr ]
Nov  9 23:31:17 RouterA charon: 06[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (348 bytes)
Nov  9 23:31:17 RouterA charon: 15[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:17 RouterA charon: 15[ENC] parsed CREATE_CHILD_SA response 2 [ N(INVAL_KE) ]
Nov  9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE
Nov  9 23:31:17 RouterA charon: 15[IKE] establishing CHILD_SA peer-172.18.202.10-tunnel-vti{5} reqid 2
Nov  9 23:31:17 RouterA charon: 15[ENC] generating CREATE_CHILD_SA request 3 [ N(REKEY_SA) SA No TSi TSr ]
Nov  9 23:31:17 RouterA charon: 15[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (204 bytes)
Nov  9 23:31:17 RouterA charon: 08[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (236 bytes)
Nov  9 23:31:17 RouterA charon: 08[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
Nov  9 23:31:17 RouterA charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov  9 23:31:17 RouterA charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov  9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found
Nov  9 23:31:17 RouterA charon: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov  9 23:31:17 RouterA charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c3fb679f
Nov  9 23:31:17 RouterA charon: 08[ENC] generating INFORMATIONAL request 4 [ D ]
Nov  9 23:31:17 RouterA charon: 08[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:17 RouterA charon: 13[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:17 RouterA charon: 13[ENC] parsed INFORMATIONAL response 4 [ D ]
Nov  9 23:31:17 RouterA charon: 13[IKE] CHILD_SA rekeying failed, trying again in 8 seconds
Nov  9 23:31:25 RouterA charon: 07[IKE] establishing CHILD_SA peer-172.18.202.10-tunnel-vti{6} reqid 2
Nov  9 23:31:25 RouterA charon: 07[ENC] generating CREATE_CHILD_SA request 5 [ N(REKEY_SA) SA No KE TSi TSr ]
Nov  9 23:31:25 RouterA charon: 07[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (348 bytes)
Nov  9 23:31:25 RouterA charon: 10[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 10[ENC] parsed CREATE_CHILD_SA response 5 [ N(INVAL_KE) ]
Nov  9 23:31:25 RouterA charon: 10[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE
Nov  9 23:31:25 RouterA charon: 10[IKE] establishing CHILD_SA peer-172.18.202.10-tunnel-vti{7} reqid 2
Nov  9 23:31:25 RouterA charon: 10[ENC] generating CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
Nov  9 23:31:25 RouterA charon: 10[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (204 bytes)
Nov  9 23:31:25 RouterA charon: 05[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (236 bytes)
Nov  9 23:31:25 RouterA charon: 05[ENC] parsed CREATE_CHILD_SA response 6 [ SA No TSi TSr ]
Nov  9 23:31:25 RouterA charon: 05[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov  9 23:31:25 RouterA charon: 05[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov  9 23:31:25 RouterA charon: 05[IKE] no acceptable proposal found
Nov  9 23:31:25 RouterA charon: 05[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov  9 23:31:25 RouterA charon: 05[IKE] sending DELETE for ESP CHILD_SA with SPI cf8e8976
Nov  9 23:31:25 RouterA charon: 05[ENC] generating INFORMATIONAL request 7 [ D ]
Nov  9 23:31:25 RouterA charon: 05[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 11[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 11[ENC] parsed INFORMATIONAL request 4 [ D ]
Nov  9 23:31:25 RouterA charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 97095276
Nov  9 23:31:25 RouterA charon: 11[IKE] closing CHILD_SA peer-172.18.202.10-tunnel-vti{3} with SPIs c10298e5_i (111113389 bytes) 97095276_o (4345197 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Nov  9 23:31:25 RouterA charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI c10298e5
Nov  9 23:31:25 RouterA charon: 11[IKE] CHILD_SA closed
Nov  9 23:31:25 RouterA charon: 06[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (382 bytes)
Nov  9 23:31:25 RouterA charon: 11[KNL] error uninstalling route installed with policy 0.0.0.0/0 === 0.0.0.0/0 out (mark 9437185/0xffffffff)
Nov  9 23:31:25 RouterA charon: 11[IKE] detected CHILD_REKEY collision with CHILD_DELETE
Nov  9 23:31:25 RouterA charon: 11[ENC] generating INFORMATIONAL response 4 [ D ]
Nov  9 23:31:25 RouterA charon: 11[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
Nov  9 23:31:25 RouterA charon: 06[IKE] received Cisco Delete Reason vendor ID
Nov  9 23:31:25 RouterA charon: 06[IKE] received Cisco Copyright (c) 2009 vendor ID
Nov  9 23:31:25 RouterA charon: 06[IKE] received FRAGMENTATION vendor ID
Nov  9 23:31:25 RouterA charon: 06[IKE] 172.18.202.10 is initiating an IKE_SA
Nov  9 23:31:25 RouterA charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Nov  9 23:31:25 RouterA charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov  9 23:31:25 RouterA charon: 06[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (256 bytes)
Nov  9 23:31:25 RouterA charon: 15[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 15[ENC] parsed INFORMATIONAL response 7 [ ]
Nov  9 23:31:25 RouterA charon: 07[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 07[ENC] parsed INFORMATIONAL request 5 [ D ]
Nov  9 23:31:25 RouterA charon: 07[IKE] received DELETE for unknown ESP CHILD_SA with SPI 584acbb2
Nov  9 23:31:25 RouterA charon: 07[IKE] CHILD_SA closed
Nov  9 23:31:25 RouterA charon: 07[ENC] generating INFORMATIONAL response 5 [ ]
Nov  9 23:31:25 RouterA charon: 07[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 10[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (284 bytes)
Nov  9 23:31:25 RouterA charon: 10[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov  9 23:31:25 RouterA charon: 10[CFG] looking for peer configs matching 172.18.201.10[%any]...172.18.202.10[172.18.202.10]
Nov  9 23:31:25 RouterA charon: 10[CFG] selected peer config 'peer-172.18.202.10-tunnel-vti'
Nov  9 23:31:25 RouterA charon: 10[IKE] authentication of '172.18.202.10' with pre-shared key successful
Nov  9 23:31:25 RouterA charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  9 23:31:25 RouterA charon: 10[IKE] authentication of '172.18.201.10' (myself) with pre-shared key
Nov  9 23:31:25 RouterA charon: 05[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 05[ENC] parsed INFORMATIONAL request 6 [ D ]
Nov  9 23:31:25 RouterA charon: 05[IKE] received DELETE for IKE_SA peer-172.18.202.10-tunnel-vti[3]
Nov  9 23:31:25 RouterA charon: 05[IKE] deleting IKE_SA peer-172.18.202.10-tunnel-vti[3] between 172.18.201.10[172.18.201.10]...172.18.202.10[172.18.202.10]
Nov  9 23:31:25 RouterA charon: 05[IKE] IKE_SA deleted
Nov  9 23:31:25 RouterA charon: 05[ENC] generating INFORMATIONAL response 6 [ ]
Nov  9 23:31:25 RouterA charon: 05[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:25 RouterA charon: 10[IKE] IKE_SA peer-172.18.202.10-tunnel-vti[4] established between 172.18.201.10[172.18.201.10]...172.18.202.10[172.18.202.10]
Nov  9 23:31:25 RouterA charon: 10[IKE] scheduling rekeying in 9954s
Nov  9 23:31:25 RouterA charon: 10[IKE] maximum IKE_SA lifetime 10494s
Nov  9 23:31:25 RouterA charon: 10[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov  9 23:31:25 RouterA charon: 10[IKE] CHILD_SA peer-172.18.202.10-tunnel-vti{8} established with SPIs c62c9687_i cce618b4_o and TS 0.0.0.0/0 === 0.0.0.0/0
Nov  9 23:31:25 RouterA charon: 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Nov  9 23:31:25 RouterA charon: 10[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (204 bytes)
Nov  9 23:31:55 RouterA charon: 16[IKE] sending DPD request
Nov  9 23:31:55 RouterA charon: 16[ENC] generating INFORMATIONAL request 0 [ ]
Nov  9 23:31:55 RouterA charon: 16[NET] sending packet: from 172.18.201.10[500] to 172.18.202.10[500] (76 bytes)
Nov  9 23:31:55 RouterA charon: 11[NET] received packet: from 172.18.202.10[500] to 172.18.201.10[500] (76 bytes)
Nov  9 23:31:55 RouterA charon: 11[ENC] parsed INFORMATIONAL response 0 [ ]
vyos at RouterA:~$ 

-------------- next part --------------
vyos at RouterA:~$ show config comman
set interfaces dummy dum0
set interfaces ethernet eth0 address '172.18.201.10/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '0c:9a:1d:ae:92:00'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '0c:9a:1d:ae:92:01'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id '0c:9a:1d:ae:92:02'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id '0c:9a:1d:ae:92:03'
set interfaces ethernet eth3 smp-affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces vti vti10 address '10.0.0.2/31'
set protocols static interface-route 192.168.2.0/24 next-hop-interface vti10
set protocols static route 0.0.0.0/0 next-hop 172.18.201.254
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'RouterA'
set system login user vyos authentication encrypted-password '$6$Kd4Y5CNOwuef$DNq2W8bz4kOb8EJVW.Cz.550TTDGYD7lwGzgV/7M6Wj5M.937wwL/YXHMK/NJ4isWri03eZIFy.SjTSgfNjlj1'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system syslog console
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '10800'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group2'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha1'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
vyos at RouterA:~$  

-------------- next part --------------
ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.8(1) 
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 8 hours 38 mins

Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2294 MHz,
Model Id:   ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB


 0: Ext: Management0/0       : address is 0ca7.6885.1300, irq 11
 1: Ext: GigabitEthernet0/0  : address is 0ca7.6885.1301, irq 11
 2: Ext: GigabitEthernet0/1  : address is 0ca7.6885.1302, irq 10
 3: Ext: GigabitEthernet0/2  : address is 0ca7.6885.1303, irq 10
 4: Ext: GigabitEthernet0/3  : address is 0ca7.6885.1304, irq 11
 5: Ext: GigabitEthernet0/4  : address is 0ca7.6885.1305, irq 11
 6: Ext: GigabitEthernet0/5  : address is 0ca7.6885.1306, irq 10
 7: Ext: GigabitEthernet0/6  : address is 0ca7.6885.1307, irq 10

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum VLANs                     : 50             
Inside Hosts                      : Unlimited      
Failover                          : Active/Standby 
Encryption-DES                    : Enabled        
Encryption-3DES-AES               : Enabled        
Security Contexts                 : 0              
Carrier                           : Disabled       
AnyConnect Premium Peers          : 2              
AnyConnect Essentials             : Disabled       
Other VPN Peers                   : 250            
Total VPN Peers                   : 250            
AnyConnect for Mobile             : Disabled       
AnyConnect for Cisco VPN Phone    : Disabled       
Advanced Endpoint Assessment      : Disabled       
Shared License                    : Disabled       
Total TLS Proxy Sessions          : 2              
Botnet Traffic Filter             : Enabled        
Cluster                           : Disabled       

Serial Number: 9A477FXPKWJ

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.
ciscoasa# show logg   
ciscoasa# show logging | in 23:31
Nov 09 2019 23:31:17: %ASA-6-302015: Built inbound UDP connection 34 for outside:172.18.201.10/500 (172.18.201.10/500) to identity:172.18.202.10/500 (172.18.202.10/500)
Nov 09 2019 23:31:17: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:17: %ASA-4-750003: Local:172.18.202.10:500 Remote:172.18.201.10:500 Username:172.18.201.10 IKEv2 Negotiation aborted due to ERROR: Detected unsupported failover version
Nov 09 2019 23:31:17: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:17: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC3FB679F) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been created.
Nov 09 2019 23:31:17: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x60ED4494) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been created.
Nov 09 2019 23:31:17: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:17: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC3FB679F) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:17: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x60ED4494) between 172.18.201.10 and 172.18.202.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-4-750003: Local:172.18.202.10:500 Remote:172.18.201.10:500 Username:172.18.201.10 IKEv2 Negotiation aborted due to ERROR: Detected unsupported failover version
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCF8E8976) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been created.
Nov 09 2019 23:31:25: %ASA-3-602305: IPSEC: SA creation error, source 172.18.201.10, destination 172.18.202.10, reason session entry rekey get error.
Nov 09 2019 23:31:25: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC10298E5) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:25: %ASA-4-411002: Line protocol on Interface Tunnel0, changed state to down
Nov 09 2019 23:31:25: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x97095276) between 172.18.201.10 and 172.18.202.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:25: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCF8E8976) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:25: %ASA-4-411002: Line protocol on Interface Tunnel0, changed state to down
Nov 09 2019 23:31:25: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x584ACBB2) between 172.18.201.10 and 172.18.202.10 (user= 172.18.201.10) has been deleted.
Nov 09 2019 23:31:25: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = __vti-crypto-map-4-0-0.  Map Sequence Number = 65280.
Nov 09 2019 23:31:25: %ASA-7-752008: Duplicate entry already in Tunnel Manager
Nov 09 2019 23:31:25: %ASA-5-750001: Local:172.18.202.10:500 Remote:172.18.201.10:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.18.202.10-172.18.202.10 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.18.201.10-172.18.201.10 Protocol: 0 Port Range: 0-65535
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-5-750007: Local:172.18.202.10:500 Remote:172.18.201.10:500 Username:172.18.201.10 IKEv2 SA DOWN. Reason: unknown
Nov 09 2019 23:31:25: %ASA-4-113019: Group = 172.18.201.10, Username = 172.18.201.10, IP = 172.18.201.10, Session disconnected. Session Type: LAN-to-LAN, Duration: 2h:46m:04s, Bytes xmt: 111113389, Bytes rcv: 4345197, Reason: Internal Error
Nov 09 2019 23:31:25: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500
Nov 09 2019 23:31:25: %ASA-5-750006: Local:172.18.202.10:500 Remote:172.18.201.10:500 Username:172.18.201.10 IKEv2 SA UP. Reason: New Connection Established
Nov 09 2019 23:31:25: %ASA-6-113009: AAA retrieved default group policy (172.18.201.10) for user = 172.18.201.10
Nov 09 2019 23:31:25: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC62C9687) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been created.
Nov 09 2019 23:31:25: %ASA-4-411001: Line protocol on Interface Tunnel0, changed state to up
Nov 09 2019 23:31:25: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xCCE618B4) between 172.18.202.10 and 172.18.201.10 (user= 172.18.201.10) has been created.
Nov 09 2019 23:31:25: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = __vti-crypto-map-4-0-0. Map Sequence Number = 65280.
Nov 09 2019 23:31:25: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = __vti-crypto-map-4-0-0.  Map Sequence Number = 65280.
Nov 09 2019 23:31:31: %ASA-6-302014: Teardown TCP connection 31 for BRANCH_VTI:192.168.1.2/22 to inside:192.168.2.2/48536 duration 2:44:47 bytes 107052454 Tunnel being brought up or torn down
Nov 09 2019 23:31:31: %ASA-7-609002: Teardown local-host inside:192.168.2.2 duration 2:44:47
Nov 09 2019 23:31:31: %ASA-7-609002: Teardown local-host BRANCH_VTI:192.168.1.2 duration 2:44:47
Nov 09 2019 23:31:45: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/48536 to 192.168.1.2/22 flags ACK  on interface inside
Nov 09 2019 23:31:55: %ASA-7-713906: IKE Receiver: Packet received on 172.18.202.10:500 from 172.18.201.10:500


-------------- next part --------------
ciscoasa# show runn
ciscoasa# show running-config 
: Saved

: 
: Serial Number: 9A477FXPKWJ
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2294 MHz
:
ASA Version 9.8(1) 
!
hostname ciscoasa
enable password $sha512$5000$5PKXqHsoNe5mFEw4cRb2wg==$AXxEAWu6gRn4jwxzqk8dTQ== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.18.202.10 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Tunnel0
 nameif BRANCH_VTI
 ip address 10.0.0.3 255.255.255.254 
 tunnel source interface outside
 tunnel destination 172.18.201.10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE
!
ftp mode passive
pager lines 23
logging enable
logging timestamp
logging buffer-size 4096000
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
route outside 0.0.0.0 0.0.0.0 172.18.202.254 2
route BRANCH_VTI 192.168.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal TSET
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec profile IPSEC_PROFILE
 set ikev2 ipsec-proposal TSET
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30 
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967 
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562 
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72 
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b 
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1 
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49 
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969 
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406 
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd 
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983 
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f 
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405 
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701 
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007 
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516 
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f 
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af 
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a 
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98 
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8 
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e 
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f 
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619 
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e 
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6 
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
  quit
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 19
 prf sha
 lifetime seconds 10800
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy 172.18.201.10 internal
group-policy 172.18.201.10 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev2 
dynamic-access-policy-record DfltAccessPolicy
username asa password $sha512$5000$47dNJMKw1oY++k+n0CaaJA==$gT+aVRr73VybON90wXjsDQ== pbkdf2
tunnel-group 172.18.201.10 type ipsec-l2l
tunnel-group 172.18.201.10 general-attributes
 default-group-policy 172.18.201.10
tunnel-group 172.18.201.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome at cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:799ad91cf8c4be96fb5a89f32c6c8eb3
: end
ciscoasa#     


More information about the Users mailing list