ASA IPsec and IKE Debugs (IKEv1 Main Mode) Troubleshooting TechNote
Available Languages
Download Options
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
Introduction
This document describes debugs on the Adaptive Security Appliance (ASA) when both main mode and pre-shared key (PSK) are used. The translation of certain debug lines into configuration is also discussed.
Topics not discussed in this document include passing traffic after the tunnel has been established and basic concepts of IPsec or Internet Key Exchange (IKE).
Prerequisites
Requirements
Readers of this document should have knowledge of these topics.
-
PSK
-
IKE
Components Used
The information in this document is based on these hardware and software versions:
-
Cisco ASA 9.3.2
-
Routers that run Cisco IOS® 12.4T
Core Issue
IKE and IPsec debugs are sometimes cryptic, but you can use them to understand where an IPsec VPN tunnel establishment problem is located.
Scenario
Main mode is typically used between LAN-to-LAN tunnels or, in the case of remote access (EzVPN), when certificates are used for authentication.
The debugs are from two ASAs that run software version 9.3.2. The two devices will form a LAN-to-LAN tunnel.
Two main scenarios are described:
- ASA as the initiator for IKE
- ASA as the responder for IKE
Debug Commands Used
debug crypto ikev1 127
debug crypto ipsec 127
ASA Configuration
IPsec configuration:
crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac[an error occurred while processing this directive]
crypto map MAP 10 match address VPN
crypto map MAP 10 set peer 10.0.0.2
crypto map MAP 10 set transform-set TRANSFORM
crypto map MAP 10 set reverse-route
crypto map MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 ipsec-attributes
pre-shared-key cisco
access-list VPN extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
IP Configuration:
ciscoasa#
show ip
[an error occurred while processing this directive]
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual
GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual
GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual
NAT Configuration:
object network INSIDE-RANGE[an error occurred while processing this directive]
subnet 192.168.1.0 255.255.255.0 object network FOREIGN_NETWORK
subnet 192.168.2.0 255.255.255
nat (inside,outside) source static INSIDE-RANGE INSIDE-RANGE destination static
FOREIGN_NETWORK FOREIGN_NETWORK no-proxy-arp route-lookup
Debugging
|
Initiator Message Description |
Debugs |
Responder Message Description |
|||
|
Main mode exchange begins; no policies have been shared, and the peers are still in MM_NO_STATE.
As the initiator, the ASA starts to construct the payload. |
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 |
|
|||
|
Construct MM1
This process includes initial proposal for IKE and supported NAT-T vendors. |
[IKEv1 DEBUG]: IP = 10.0.0.2, constructing ISAKMP SA payload [IKEv1 DEBUG]: IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload |
||||
|
Send MM1. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168 |
||||
|
==========================MM1=============================> |
|
||||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) +VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164 |
MM1 received from initiator.
|
|||
|
|
[IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload [IKEv1 DEBUG]: IP = 10.0.0.2, Oakley proposal is acceptable [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload [IKEv1 DEBUG]: IP = 10.0.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 |
Process MM1.
The comparison of ISAKMP/IKE policies begins. The remote peer advertises that it can use NAT-T.
Related configuration: authentication pre-share encryption 3des hash sha group 2 lifetime 86400 |
|||
|
|
[IKEv1 DEBUG]: IP = 10.0.0.2, constructing ISAKMP SA payload |
Construct MM2.
In this message the responder selects which isakmp policy settings to use. It also advertises the NAT-T versions it can use. |
|||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE(0) total length : 128 |
Send MM2. |
|||
|
|
<========================MM2============================== |
|
|||
|
MM2 received from responder. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
|
|
|||
|
Process MM2. |
[IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
|
|
|||
|
Construct MM3.
This process includesNAT discovery payloads, Diffie-Hellman (DH) Key Exchange (KE) payloads (initator includes g, p, and A to responder), and DPD support. |
Nov 30 10:38:29 [IKEv1 DEBUG]: IP = 10.0.0.2, constructing ke payload |
|
|||
|
Send MM3. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
|
|
|||
|
|
==============================MM3========================> |
|
|||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284 |
MM3 received from initiator. |
|||
|
|
[IKEv1 DEBUG]: IP = 10.0.0.2, processing ke payload |
Process MM3.
From NAT-D payloads responder is able to determine if the initator is behind NAT and if the responder is behind NAT.
From the DH KE, the payload responder gets values of p, g and A. |
|||
|
|
[IKEv1 DEBUG]: IP = 10.0.0.2, computing NAT Discovery hash |
Construct MM4.
This process includes NAT discovery payload, DH KE responder generates "B" and "s" (sends back "B" to initator), and DPD VID. |
|||
|
|
[IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2 |
The peer is associated with the 10.0.0.2 L2L tunnel group, and the encryption and hash keys are generated from the "s" above and the pre-shared-key. |
|||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304 |
Send MM4. |
|||
|
|
<===========================MM4=========================== |
|
|||
|
MM4 received from responder. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
|
|
|||
|
Process MM4.
From the NAT-D payloads, the initator is now able to determine if the iniator is behind NAT and if the responder is behind NAT.
|
[IKEv1 DEBUG]: IP = 10.0.0.2, processing ike payload |
|
|||
|
The peer is associated with the 10.0.0.2 L2L tunnel group, and the initator generates encryption and hash keys using "s" above and the pre-shared-key.
|
[IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating keys for Initiator... |
|
|||
|
Construct MM5.
Related configuration: crypto isakmp identity auto |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload |
|
|||
|
Send MM5. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +VENDOR (13) + NONE (0) total length : 96 |
|
|||
|
|
===========================MM5===========================> |
|
|||
|
Responder is not behind any NAT. No NAT-T required. |
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 |
MM5 received from initiator.
This process includes remote peer identity (ID) and connection landing on a particular tunnel group. |
||
|
|
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload [IKEv1]: IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2 |
Process MM5.
Authentication with pre-shared keys begins now. Authentication occurs on both peers; therefore, you will see two sets of corresponding authentication processes.
Related configuration: |
|||
|
|
Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device |
No NAT-T required in this case. |
|||
|
|
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload |
Construct MM6.
Send identity includes rekey times started and identity sent to remote peer. |
|||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) +VENDOR (13) + NONE (0) total length : 96 |
Send MM6. |
|||
|
|
<===========================MM6=========================== |
|
|||
|
MM6 received from responder. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 |
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 1 COMPLETED |
Phase 1 complete.
Start isakmp rekey timer.
Related configuration: |
||
|
Process MM6.
This process includes remote identity sent from peer and final decision regarding tunnel group to pick. |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload |
|
|||
|
Phase 1 complete.
Start ISAKMP rekey timer.
Related configuration: tunnel group 10.0.0.2 type ipsec-l2l tunnel group 10.0.0.2 ipsec-attributes pre-shared-key cisco |
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 1 COMPLETED |
|
|||
|
Phase 2 (quick mode) begins. |
IPSEC: New embryonic SA created @ 0x53FC3C00, |
||||
|
Construct QM1.
This process includes proxy IDs and IPsec policies.
Related configuration: access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, IKE got SPI from key engine: SPI = 0xfd2d851f [IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator sending Initial Contact |
|
|||
|
Send QM1. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200 |
|
|||
|
|
===============================QM1========================> |
|
|||
|
|
[IKEv1 DECODE]: IP = 10.0.0.2, IKE Responder starting QM: msg id = 52481cf5 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=52481cf5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172 |
QM1 received from initiator.
Responder starts phase 2 (QM). |
|||
|
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload |
Process QM1.
This process compares remote proxies with local and selects acceptable IPsec policy.
Related configuration: crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 crypto map MAP 10 match address VPN |
||||
|
|
[IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.2.0, Mask 255.255.255.0, Protocol 1, Port 0 [IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing ID payload |
The remote and local subnets (192.168.2.0/24 and 192.168.1.0/24) are received. |
|||
|
|
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, QM IsRekeyed old sa not found by addr |
A matching static crypto entry is looked for and found. |
|||
|
|
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, IKE: requesting SPI! |
Construct QM2.
This process includes confirmation of proxy identities, tunnel type, and a check is performed for mirrored crypto ACLs. |
|||
|
|
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=52481cf5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172 |
Send QM2. |
|||
|
|
<============================QM2=========================== |
|
|||
|
QM2 received from responder. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200 |
|
|||
|
Process QM2.
In this process, remote end sends parameters and shortest proposed phase 2 lifetimes is picked. |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload |
|
|||
|
Found matching crypto map "MAP" and entry 10 and matched it against access-list "VPN." |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, NP encrypt rule look up for crypto map MAP 10 matching ACL VPN: returned cs_id=53f11198; rule=53f11a90 |
|
|||
|
The appliance has generated the SPIs 0xfd2d851f and 0xdde50931for inbound and outbound traffic respectively. |
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Generating Quick Mode Key! |
|
|||
|
Construct QM3.
Confirm all SPIs created to remote peer. |
IPSEC: Completed host IBSA update, SPI 0xFD2D851F |
|
|||
|
Send QM3. |
[IKEv1 DECODE]: Group = 10.0.0.2, IP = 10.0.0.2, IKE Initiator sending 3rd QM pkt: msg id = 7b80c2b0 |
|
|||
|
|
=============================QM3==========================> |
|
|||
|
Phase 2 complete.
The initiator is now ready to encrypt and decrypt packets using these SPI values. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=7b80c2b0) with payloads : HDR + HASH (8) + NONE (0) total length :76 |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=52481cf5) with payloads : HDR + HASH (8) + NONE (0) total length : 52 |
QM3 receivd fom initiator. |
||
|
|
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, processing hash payload |
Process QM3.
Encryption keys are generated for the data SAs.
During this process, SPIs are set in order to pass traffic. |
|||
|
|
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, Security negotiation complete for LAN-to-LAN Group (10.0.0.2) Responder, Inbound SPI = 0x1698cac7, Outbound SPI = 0xdb680406 IPSEC: Completed host IBSA update, SPI 0x1698CAC7 |
SPIs are assigned to the data SAs. |
|||
|
|
[IKEv1 DEBUG]: Group = 10.0.0.2, IP = 10.0.0.2, Starting P2 rekey timer: 3060 seconds. |
Start IPsec rekey times. |
|||
|
|
[IKEv1]: Group = 10.0.0.2, IP = 10.0.0.2, PHASE 2 COMPLETED (msgid=52481cf5) |
Phase 2 complete. Both responder and initiator are able to encrypt/decrypt traffic. |
|||
Tunnel Verification
Note: Since ICMP is used to trigger the tunnel, only one IPSec SA is up. Protocol 1 = ICMP.
show crypto ipsec sa
interface: outside
Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1
access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
current_peer: 10.0.0.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DB680406
current inbound spi : 1698CAC7
inbound esp sas:
spi: 0x1698CAC7(379112135)[an error occurred while processing this directive]
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3326)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xDB680406 (3681027078)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3326)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.0.0.2
Type :L2LRole :responder
Rekey : no State :MM_ACTIVE[an error occurred while processing this directive]
Related Information
- A good place to start is wikipedia article on IPSec. Standard and references contains a lot of useful information
- IPsec Troubleshooting: Understanding and Using debug Commands
- Technical Support & Documentation - Cisco Systems
Contributed by Cisco Engineers
- Atri Basu, Marcin Latosiewicz, and Jay Young TaylorCisco TAC Engineers.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)