sa timing: remaining key lifetime (k/sec): (4215482/3412)
IV size: 8 bytes
replay detection support: Y
Known caveats & issues
Please remember to have following line configured on your IOS headend: no crypto ikev2 http-url cert.
The error produced by IOS and Anyconnect when this is not configured is quite misleading.
In certain scenarios IOS might not be able to pick correct trustpoint to authenticate. We are aware of the issue, it should be fixed as of 15.2(3)T1 release. A tentative date for 15.2(3)T1 is 29th of June 2012.
If Anyconnect is reporting message similar to this:
The client certificate's cryptographic service provider(CSP) does not support the sha512 algorithm
You need to make sure that the integrity/PRF setting in your IKEv2 proposals match what your certificates can handle. If you're using IOS CA like me I suggest using sha-1 and your PRF/Integrity setting.
Here's a few useful tips on how to troubleshoot, or if you're desparate, what to provide to TAC to smooth things out.
Useful IKEv2 debugs (I'm assuming 15.2.2T or newer IOS version)
debug crypto ikev2
debug crypto ikev2 internal
debug crypto ikev2 packet
Useful PKI debugs
debug crypto pki m
debug crypto pki t
debug crypto pki v
One that will be helpful the most is:
show crypto pki cert verb
If you would like TAC to look into this - provide a DART package. Please remember to CLEAR the event viewer logs before generating it.
This will help greatly.
Also note the time at which you've tried and failed connecting.
Further Reading & Documentation
You always should start with configuration guide. This particular
Hello,ich have a problem with manipulating the Receipt of an email. I receive Mails for userA@domainA.com and want to "forward" it to userA@domainB.com. domainB is not in our service. I use the Add/Edit Header Function: edit-header-text("To...
Hi I need some help in creating that ACL on Cisco multilayer switch. 1) I want to allow all traffic between these subnets10.75.0.0/22 ------ 10.0.0.0/8 2)) I want to allow only http traffic and block the remaining traffic between the following s...
Is it possible to do something like this, where a sponsor on-boards a guest using the sponsor portal hence allocating an account with username/password. Where the guest then uses the credentials that was created by the sponsor to connect to the guest SSID...
Hi Guys, I need some help, i am deploying BYOD for andriod and i need to know the ip address for teh google play which should be allowed to download app. I am not able to find out all the ip address which is required. Thanks