Monday, January 13, 2014

Cisco ASA: VPN Debug Message - 'No SPI to identify Phase 2 SA!'

I was onsite at a customer today when they asked me to look at a VPN that had been configured.  They were not able to get VPN traffic across and were just now able to look at it.  I found that the VPN had been configured, and Phase I looked good and was "Active".  However, there was no Phase II happening on the VPN.  So I turned on 'debug cryp isa' and got the following messages:

ASA# Jan 13 10:28:43 [IKEv1]: Group = 71.72.73.74, IP = 71.72.73.74, QM FSM error (P2 struct &0xac7ebc00, mess id 0xff9846d6)!
Jan 13 10:28:43 [IKEv1]: Group = 71.72.73.74, IP = 71.72.73.74, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jan 13 10:28:43 [IKEv1]: Group = 71.72.73.74, IP = 71.72.73.74, Removing peer from correlator table failed, no match!

So I got the other side of the VPN contact info and called them.  It turns out that the other side was NAT'ing traffic to a different IP address than what my original IP address was.  The guy before me had not configured for that, so I asked him to not NAT the traffic.  Once he corrected his side, Phase II came up and we were passing traffic.  Looks good.

ASA# sh cryp ipsec sa peer 71.72.73.74
peer address: 71.72.73.74
    Crypto map tag: outside_map, seq num: 81, local addr: 10.10.10.10

      access-list VPNACL permit ip host 192.168.1.215 host 192.168.8.2
      local ident (addr/mask/prot/port): (192.168.1.215/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.8.2/255.255.255.255/0/0)
      current_peer: 71.72.73.74

      #pkts encaps: 35, #pkts encrypt: 35, #pkts digest: 35
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 35, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.10, remote crypto endpt.: 71.72.73.74

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C19B46B3
Posted by

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)