KB ID 0001218
Problem
This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.
So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.
[box]
Clients-ASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0
Tunnel-id Local Remote Status Role
526939783 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4423 sec
Tunnel-id Local Remote Status Role
3227575251 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4425 sec
Tunnel-id Local Remote Status Role
3073641799 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------
[/box]
A debug of IKEv2 was pretty confusing but it did reveal this;
[box]
Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate memory
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: Abort exchange
IKEv2-PROTO-2: Deleting SA
IKEv2-PROTO-3: Rx [L 222.222.222.222:500/R 123.123.123.123:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:E212F1C2B09EC680 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: E212F1C2B09EC680 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 616
[/box]
Solution
The ASA was running version 8.4(6) which is not listed as being affected by this bug
ASA IKEv2 fails to accept incoming IKEV2 connections
CSCud50997
But that’s what the problem was, upgrade to 9.2(4) and the tunnel came straight up without error.
(Related Articles, References, Credits, or External Links
NA
It would appear I am seeing this same issue on 9.1(2).
Funny, there’s a similar error message in Classic IOS 15.5(3)M10:
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to allocate memory
I had already configured several IKEv2 VPNs without issue but didn’t see this until trying to connect to a CheckPoint R80.30 cluster. From what I can tell, this essentially means the IKEv2 Phase 1 SA is good, but the other side is having trouble bringing up Phase 2.
This message has absolutely nothing to do with Memory or RAM, etc.
Thanks for the feedback John, I’ll post it here in case I grab any IOS related traffic 🙂
P