Symptom
ASA fails to negotiate IKEv2 remote access tunnel with 3rd party client and does not reply to IKE_Auth. The following error is seen:
%ASA-4-750003: Local:192.168.31.20:4500 Remote:192.168.31.24:4500 Username:9999 IKEv2 Negotiation aborted due to ERROR: A supplied parameter is incorrect
No failure notify is sent to the peer, and peer retransmits IKE_auth until retry limit is reached.
Conditions
IKEv2
3rd party remote access client requesting both IPv4 and IPv6 addresses assigned.
The client sends in TSi both TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE, e.g.
TSi Next payload: TSr, reserved: 0x0, length: 64
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TS type: TS_IPV6_ADDR_RANGE, proto id: 0, length: 40
start port: 0, end port: 65535
start addr: ::, end addr: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.0.0.0, end addr: 10.255.255.255
Workaround
Reconfigure the client to request only IPv4 or IPv6 address.
Further Problem Description
Dual stack IKEv2 remote access is supported only with AnyConnect. See enhancement CSCvv44310.
This bug is addressing missing failure notify sent from ASA.
