Solved: IKEv2 VPN with Cisco ASA - unexpected tunnel

CaseyB · ‎2024-01-19

I noticed something odd about an IKEv2 VPN tunnel with a Cisco ASA. As far as I can tell, the VPN is working without any issues, but the ASA is creating an unexpected IPsec tunnel. If it is possible to clean up, that would be ideal, but if not, it doesn't seem to be causing any issues.

Setup:

IKEv2
Subnet-to-Subnet exchange
Using NAT

The Check Point GW is running R81.10 Take 130, not sure of the Cisco ASA.

The Check Point is sending a public /29 to two different /32 devices on the ASA side. Running a debug shows that when the Cisco sends TSi for Create Child SA, it includes the following:

The first TSi with the ICMP protocol seems odd to me and the root of the issue. I have reached out to the other side with no response. Has anyone seen this before and know what setting / configuration might be causing this on the Cisco side?

CaseyB · ‎2024-04-12

Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131.

The issue was present, I applied the update, and I haven't seen the issue in the logs since.

View solution in original post

JozkoMrkvicka · ‎2024-01-19

Do you have configured VPN community as "subnet pair" ? Double check if traffic selectors (encryption domains) is really 1:1 on both ends.

Kind regards,
Jozko Mrkvicka

CaseyB · ‎2024-01-20

Yes, the community is setup as subnet pair. I do not have control over the other side, and since they are ghosting me, I have to take their word that everything is setup as a subnet on their end.

Though the TSi shows a subnet in the second value, it's the first value that is wrong.

genisis__ · ‎2024-01-19

Have a look at sk166417, IKEv2 narrowing is not isolated to Checkpoint b.t.w.

CaseyB · ‎2024-01-20

I looked over that earlier, it's informative.

the_rock · ‎2024-01-19

I know guy I used to work with showed me how to fix this on Cisco side. He used to work for Cisco TAC in India, said they used to see this issue all the time. Supposedly there was some sort of a bug in a certain version, but was fixed later. Will see if I can find any notes about it.

Best,

Andy

Best,
Andy

CaseyB · ‎2024-01-20

Sounds good. I was also wondering if it was a certain Cisco version, I thought I had this issue with another Cisco VPN, but I am having a difficult time finding it at the moment, but maybe they upgraded and resolved it.

the_rock · ‎2024-01-20

I have good buddy I also worked with and he may know where the guy currently works, so let me see if we can get a hold of him : - ). Its been probably 7 years since I dealt with Cisco, mind you only with ASA, but I have lots of commands from notes I took back in the day.

I will keep you posted on what I find.

Best,

Andy

Best,
Andy

Mikael · ‎2024-04-12

Did you ever find anything?

Cheers

CaseyB · ‎2024-04-12

I upgraded to R81.10 JHF 131 and the issue is currently resolved from what I can tell. Not sure if the Cisco side has changed anything, never heard back from the third-party.

CaseyB · ‎2024-04-12

Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131.

The issue was present, I applied the update, and I haven't seen the issue in the logs since.

CheckPointerXL · ‎2024-01-20

Let's check for this:

- https://support.checkpoint.com/results/sk/sk170857 (fixed in T131)

- find out for any duplicate objects related to host/subnets in your vpn tu tlist output. If found, delete them from mgmt, install policy and reset tunnel

the_rock · ‎2024-01-20

That could be related...

Best,
Andy

CaseyB · ‎2024-01-20

I have definitely have that bug on another tunnel, but this seems to be different as it's coming from the Cisco side.

Are you a member of CheckMates?

IKEv2 VPN with Cisco ASA - unexpected tunnel