Background information
I have a Cisco 2911 router and a Cisco ASAv connected using a IKEv2 based IPSec tunnel. The tunnel initially comes up fine as soon as there is some traffic from the routers end. The router is mobile, hence it has changing outside addresses and is always the initiator. On ASA side, the VPN peer is hence not configured, a dynamic crypto-map is used.
There are two SAs defined for the IPSec connection, the left IP is the router's side, the right IPs are ASA.
- 192.168.10.0/24 <=> xx.xx.66.0/24
- 192.168.10.0/24 <=> 192.168.255.0/24
192.168.10.0/24 is a network behind the router, while xx.xx.66.0/24 is the network behind the ASA and 192.168.255.0/24 is the IP pool for AnyConnect clients connecting to the ASA.
To fire up the tunnel as soon as the router starts and has an IP address assigned on is outside interface (Gi 0/0), the router has an NTP server configured which is in the xx.xx.66.0/24 network. This actually works fine, the IKEv2 SA is up and working, the first child SA is also up and running.
Problem statement
The second SA (192.168.10.0/24 <=> 192.168.255.0/24) however only works when I first initiate the SA from the routers end by sending some packets (for example with ping 192.168.255.10 sourve vlan 10 repeat 1, where the .10 is completely random). Then the SA is up and I can connect to the router from the AnyConnect pool. This however is not the idea of this concept, as the tunnel should be established such that the support engineers connected to the ASA via AnyConnect can access the router and troubleshoot any issues.
Looking at the debug output from debug crypto ikev2 protocol 50, debug crypto ikev2 platform 50 and debug crypto ipsec 50 does not show any hint that the ASA at least tries to build the tunnel.
Configurations
Here are the relevant parts of both configurations. If you are missing anything, please let me know.
Cisco 2911 Router, Running IOS 15.4(3)M3 w/ security license
ip cef
license boot module c2900 technology-package securityk9
!
crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 keyring EzVPNKeys
peer MR-ASA
address 146.140.xx.xx
pre-shared-key local xxx1
pre-shared-key remote xxx2
!
crypto ikev2 profile MobileRacks
match identity remote address xx.xx.193.9 255.255.255.255
identity local key-id MobileRacks
authentication remote pre-share
authentication local pre-share
keyring local EzVPNKeys
!
crypto ipsec transform-set AES256-SHA-512 esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto map FlexVPN 10 ipsec-isakmp
set peer xx.xx.193.9
set transform-set AES256-SHA-512
set pfs group14
set ikev2-profile MobileRacks
match address FlexVPN
!
interface GigabitEthernet0/0
description outside
ip address dhcp
crypto map FlexVPN
!
interface Vlan10
description management
ip address 192.168.10.254 255.255.255.0
ip access-group VL10-MGMT-IN out
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended FlexVPN
permit ip 192.168.10.0 0.0.0.255 146.140.66.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
!
ntp source Vlan10
ntp server xx.xx.66.230
Cisco ASAv5, Runnint ASA Version 9.6(1)
ip local pool AnyConnectPool 192.168.255.10-192.168.255.254 mask 255.255.255.0
! Is used for AnyConnect, not shown here
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.193.9 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address xx.xx.66.26 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list outside_cryptomap_eventrack extended permit ip xx.xx.66.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_eventrack extended permit ip 192.168.255.0 255.255.255.0 192.168.10.0 255.255.255.0
!
crypto ipsec ikev2 ipsec-proposal FhG-AES-IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map ConsoleServerConnectionProfile 10 match address outside_cryptomap_eventrack
crypto dynamic-map ConsoleServerConnectionProfile 10 set pfs group14
crypto dynamic-map ConsoleServerConnectionProfile 10 set ikev2 ipsec-proposal FhG-AES-IKEv2
crypto dynamic-map ConsoleServerConnectionProfile 10 set security-association lifetime seconds 3600
crypto dynamic-map ConsoleServerConnectionProfile 10 set reverse-route
crypto map MapOutside 1 ipsec-isakmp dynamic ConsoleServerConnectionProfile
crypto map MapOutside 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MapOutside interface outside
!
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 14
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
!
group-policy IKEv2GroupPolicy internal
group-policy IKEv2GroupPolicy attributes
vpn-tunnel-protocol ikev2
!
tunnel-group MobileRacks type ipsec-l2l
tunnel-group MobileRacks general-attributes
default-group-policy IKEv2GroupPolicy
tunnel-group MobileRacks ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Additional Output
From the ASA's perspective, IP being a DHCP assigned outside IP of the router: show ipsec sa peer xx.xx.xx.xx detail:
peer address: xx.xx.222.246
Crypto map tag: ConsoleServerConnectionProfile, seq num: 10, local addr: xx.xx.193.9
access-list outside_cryptomap_eventrack extended permit ip xx.xx.66.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (xx.xx.66.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: xx.xx.xx.xx
#pkts encaps: 16684, #pkts encrypt: 16684, #pkts digest: 16684
#pkts decaps: 16834, #pkts decrypt: 16834, #pkts verify: 16834
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16684, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: xx.xx.193.9/500, remote crypto endpt.: xx.xx.222.246/500
path mtu 1500, ipsec overhead 94(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 50D61913
current inbound spi : 1BA74E8D
inbound esp sas:
spi: 0x1BA74E8D (463949453)
transform: esp-aes-256 esp-sha-512-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 49152, crypto-map: ConsoleServerConnectionProfile
sa timing: remaining key lifetime (kB/sec): (4146528/1834)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x50D61913 (1356208403)
transform: esp-aes-256 esp-sha-512-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 49152, crypto-map: ConsoleServerConnectionProfile
sa timing: remaining key lifetime (kB/sec): (4192686/1834)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
From the router's perspective, show crypto ipsec sa detail:
interface: GigabitEthernet0/0
Crypto map tag: FlexVPN, local addr xx.xx.222.246
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xx.xx.66.0/255.255.255.0/0/0)
current_peer xx.xx.193.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18179, #pkts encrypt: 18179, #pkts digest: 18179
#pkts decaps: 18024, #pkts decrypt: 18024, #pkts verify: 18024
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: xx.xx.222.246, remote crypto endpt.: xx.xx.193.9
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1BA74E8D(463949453)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x50D61913(1356208403)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000040, crypto map: FlexVPN
sa timing: remaining key lifetime (k/sec): (4166728/1692)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1BA74E8D(463949453)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000040, crypto map: FlexVPN
sa timing: remaining key lifetime (k/sec): (4166663/1692)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
current_peer xx.xx.193.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: xx.xx.222.246, remote crypto endpt.: xx.xx.193.9
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Intersting to see that the router shows two SAs, despite one of them being down, while the ASA shows only once.
Bringing up the SA
I can bring up the SA from the router:
mobilerack1-rtr#ping 192.168.255.10 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
Jun 27 14:57:54.863: [ACL FlexVPN]: state = ACL notify RP action
Jun 27 14:57:55.163: IPSEC:(SESSION ID = 2) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 10 dynamic seqno 0
Jun 27 14:57:55.163: [ACL FlexVPN]: state = ACL KMI create SA for PtoP
Jun 27 14:57:55.163: [KMI Forward]: state = KMI Initializing
Jun 27 14:57:55.163: [KMI Forward]: state = change priority
Jun 27 14:57:55.163: [KMI Forward]: state = forward
Jun 27 14:57:55.163: [Ident 80000008]: state = Check. redundant request
Jun 27 14:57:55.163: [Ident 80000008]: state = Allocate Session
Jun 27 14:57:55.163: [Session]: state = Session Initialization
Jun 27 14:57:55.163: [Ident 80000008]: state = Insert Peer
Jun 27 14:57:55.163: [Ident 80000008]: state = Allocate Sibling
Jun 27 14:57:55.163: [Sibling]: state = Sibling Initialization
Jun 27 14:57:55.163: [Ident 80000008]: state = Create In/Outbound SAs
Jun 27 14:57:55.163: [Ident 80000008]: state = Ident Set Replay
Jun 27 14:57:55.163: [Ident 80000008]: state = Send SAs to sibling and install them
Jun 27 14:57:55.163: [Sibling]: state = Hook Session
Jun 27 14:57:55.167: [Session]: state = Add Sibling to Session List
Jun 27 14:57:55.167: [Sibling]: state = Fill Sibling with CE data
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Hook SA Struct to Sibling
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Install SPI
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Del Transient SPI
Jun 27 14:57:55.167: [Ident 80000008]: state = Check. Outbound Enable Status
Jun 27 14:57:55.167: [Ident 80000008]: state = Got Enable Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Select Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Install New Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Set flow_installed
Jun 27 14:57:55.167: IPSEC:(SESSION ID = 2) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open
Jun 27 14:57:55.167: [Ident 80000008]: state = Check Install SA Declare Success
Jun 27 14:57:55.167: [Ident 80000008]: state = Declare success
Jun 27 14:57:55.167: [KMI Forward]: state = success
Jun 27 14:57:55.167: [KMI Forward]: deleting state machine
Jun 27 14:57:55.167: [ACL FlexVPN]: state = ACL KMI check result ...
Best Answer
Since you are dealing with a dynamic cryptomap, traffic must be initiated from your router. Using IP-SLA you could schedule an ICMP operation from your VLAN10 interface to the anyconnect ip range that is scheduled to run in a defined time interval.
IP SLA Config Guide: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsicmp.html
Let me know if you need a config example.