KB ID 0001218
Problem
This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.
So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.
Clients-ASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0
Tunnel-id Local Remote Status Role
526939783 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4423 sec
Tunnel-id Local Remote Status Role
3227575251 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4425 sec
Tunnel-id Local Remote Status Role
3073641799 222.222.222.222/500 123.123.123.123/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------
A debug of IKEv2 was pretty confusing but it did reveal this;
Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate memory
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: Abort exchange
IKEv2-PROTO-2: Deleting SA
IKEv2-PROTO-3: Rx [L 222.222.222.222:500/R 123.123.123.123:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:E212F1C2B09EC680 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: E212F1C2B09EC680 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 616
Solution
The ASA was running version 8.4(6) which is not listed as being affected by this bug
(Related Articles, References, Credits, or External Links
NA
21/12/2016
It would appear I am seeing this same issue on 9.1(2).
09/02/2020
Funny, there’s a similar error message in Classic IOS 15.5(3)M10:
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to allocate memory
I had already configured several IKEv2 VPNs without issue but didn’t see this until trying to connect to a CheckPoint R80.30 cluster. From what I can tell, this essentially means the IKEv2 Phase 1 SA is good, but the other side is having trouble bringing up Phase 2.
This message has absolutely nothing to do with Memory or RAM, etc.
11/02/2020
Thanks for the feedback John, I’ll post it here in case I grab any IOS related traffic 🙂
P