topic ESP_TFC_PADDING_NOT_SUPPORTED in General Topics

ESP_TFC_PADDING_NOT_SUPPORTED

vnt90 — Thu, 28 Jan 2021 19:50:07 GMT

Working with PA 5250 and ASA on the other end. The tunnel between is up and communication flows across however we are seeing constant system errors being logged.

When we enable the tunnel we get the following.

IKEv2 child SA negotiation is succeeded as initiator, non-rekey. Established SA: x.x.x.x[500]-y.y.y.y[500] message id:0x00000C44, SPI:0xDB7C2CCE/0x2C52FBD3.

IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: x.x.x.x[500]-y.y.y.y[500] message id:0x00000B7A. Error code 19

The failed message keeps repeating approx. every 8 sec. In examining the ikev2 settings we do not see any disparities between the two routers--

We have seen these messages however between these two peers

IKEv2 SA negotiation is failed, received notify type ESP_TFC-PADDING_NOT_SUPPORTED

IKEv2 SA negotiation is failed, received notify type NON_FIRST_FRAGMENTS_ALSO

Can anyone shed some light?

Thanks in Advance

Re: ESP_TFC_PADDING_NOT_SUPPORTED

reaper — Sun, 31 Jan 2021 23:46:43 GMT

did you enable a DH group in the phase-2 crypto profile?

if you have (not set nopfs), could you share some of the config to help shed some light on what you are trying to negotiate

Re: ESP_TFC_PADDING_NOT_SUPPORTED

reaper — Mon, 01 Feb 2021 00:12:28 GMT

I've run a couple of tests and i get that error message (tfc padding) all the time when running IKEv2, so it may just be 'expected'

you may need to doublecheck your ProxyIDs to see why one child SA is failing

the remote end should see logging that match the message ID and have more detailed logging to indicate why it fails

Re: ESP_TFC_PADDING_NOT_SUPPORTED

vnt90 — Fri, 26 Feb 2021 16:46:17 GMT

Checked the proxy id's are the same on both ends. What is causing the error is the fact that I have tunnel monitor turned on and set to a resource on their end (ex. 172.30.21.5) Their ASA flags an error that they are receiving a ping from 172.30.21.1 to 172.30.21.5. 172.30.21.1 is their gateway addr. I don't know what address is used by the Palo to generate the "tunnel monitor ping" but I would not expect it to be their gateway addr . Since the gateway address is not in the proxy id list the ASA flags it.

IKE Receiver: Packet received on a.b.c.d from 1.2.3.4

IPSEC: Received on ESP packet (SPI=0x1234567,sequence number=0x123444354)from 1.2.3.4(user=1.2.3.4)to a.b.c.d The decapsulate inner packet doesn’t match the negotiated policy in the SA. The packet specifies its destination as 172.30.21.5 its source as 172.30.21.1, and its protocol as icmp. The SA specifies its local proxy as 172.30.21.5/255.255.255.255/ip/0 and its remote_proxy as (the list of agreed ips for our side).

Local:a.b.c.d:500 Remote:1.2.3.4:500 Username 1.2.3.4 IKEv2 Negotiation aborted due to ERROR: Create child exchange failed.

I assume that their gateway is proxing the ping from our end. Don't know how to resolve this. 1) what palo address is used to generate the ping for "tunnel monitoring" 2) is there a setting in the ASA to stop the proxying of the ping?

Thnks for the help

Re: ESP_TFC_PADDING_NOT_SUPPORTED

BPry — Fri, 26 Feb 2021 21:09:50 GMT

@vnt90,

When you enable tunnel monitoring the tunnel interface IP is used for the ICMP request to the monitored IP. On the ASA, do you have ICMP inspection enabled at all?

Re: ESP_TFC_PADDING_NOT_SUPPORTED

Drew-Gilman — Fri, 16 Apr 2021 16:00:38 GMT

We're running into this problem now between a PA-220 and a ASA using IKEv2.

Were you able to identify the problem?

Re: ESP_TFC_PADDING_NOT_SUPPORTED

PiankaMariusz — Wed, 09 Jun 2021 16:51:52 GMT

I just started this problem between two PA

PA-220 and VM-100

No network changes done,

31st of May ESP_TFC_PADDING_NOT_SUPPORTED in System Log , first event and suddenly customer starts to report the issues with dropping tunnels..

Re: ESP_TFC_PADDING_NOT_SUPPORTED

EmilianoMedinaC — Mon, 22 Aug 2022 21:14:06 GMT

Hi,

Does anyone have the solution to the problem?

The same thing is happening to me. 😞

Re: ESP_TFC_PADDING_NOT_SUPPORTED

kiwi — Wed, 24 Aug 2022 08:35:46 GMT

Hi @EmilianoMedinaC ,

Are you using IKEv1 or IKEv2 ?

Can you perform some VPN debugging and get some logs to help us further ?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

Best,

-Kiwi.

Re: ESP_TFC_PADDING_NOT_SUPPORTED

Abdulkareem — Mon, 12 Aug 2024 05:01:53 GMT

Hello,

We are also facing this problem between two PA-3220 and VM-300.

No network changes done, and both phases are up only.

ESP_TFC_PADDING_NOT_SUPPORTED in System Log , first event and suddenly customer starts to report the issues with dropping tunnels.

Please share any solutions.

Re: ESP_TFC_PADDING_NOT_SUPPORTED

msdphi — Wed, 13 Nov 2024 20:10:31 GMT

Any solution yet?