Hi, Could this just be a co-incidence? Do the timestamps correlate?...check the logs How long has this issue been going on? Has anything changed?   Can you enable ikev2 debugging and upload the output for review please Can you provide your sanitised configuration of the central hub please ... View more

I don't see any information in the 2960 release notes to say that the old style IBNS 1.0 configuration is no longer supported, so you may not need to downgrade the IOS. You can still use dot1x with this new IBNS2 configuration, but if you want to use the old style then if IBNS 2.0 commands is configured, you can only revert by erasing the configuration of the switch. HTH ... View more

As there are now configured IBNS2.0 commands you cannot revert to legacy mode, reference here. I think the only way to do this is wipe the switch.   If this was working previously did you upgrade the switch firmware? ... View more

Hi, Your nat configuration appears incorrect. In your object "www-80" you are specifying the source port is tcp/80, but as your logs indicate the traffic source port is 33112. You would be sending traffic to destination of tcp/80, the tcp source port would be random. This example configuration should help:- object network AD-Conrtoller host 192.168.6.245 nat (INSIDE,OUTSIDE) static interface service tcp www www HTH ... View more

Configure authorization with name-mangler? ... View more

The client identity is checked on the Hub.   If you need different PSK then match the keyring on the ip address. E.g:-   crypto ikev2 keyring KEYRING  peer SPOKE1   identity address 1.1.1.1   pre-shared-key local Cisco1234   pre-shared-key remote Cisco1234  !  peer SPOKE2   identity address 2.2.2.2   pre-shared-key local Cisco5678   pre-shared-key remote Cisco5678   Does that work for you? You can still use the fqdn identity in the IKEv2 profile to identify the spoke to the hub ... View more

Hi, If you are using the "access-session" commands then you are using IBNS 2.0, have you configured the required service-policy etc? IBNS 2.0 deployment guide for your reference   HTH ... View more

Hi, Any reason why you don't use IKEv2? You wouldn't need to make any changes for the existing tunnels then.   What about the other device? If that's configured with the required IKEv1 policy, then as long as your ASA has the matching policy is should match. ... View more

Well the authentication is PSK/Certificate or EAP. The identity is used to identify the routers in order to match against the IKEv2 Profile. In the example above you don't need to change any configuration on the Hub if you replace a spoke. You specify the hubs's local identity and then match on a remote identity with a fqdn in the domain cisco.com. So if you change the identity/hardware on the spoke the Hub will correct identify the spoke and authenticate, assuming PSK/Cert/EAP is correct. ... View more

Hi, I don't fully understand why you want to do what you want, why do you need to send 2 identities? Just send 1 from the spoke, does this example give you what you need? (I think it should be self explanitory):-   HUB crypto ikev2 profile IKEV2_PROFILE  match identity fqdn domain cisco.com  identity local fqdn HUB@cisco.com   SPOKE1 crypto ikev2 profile IKEV2_PROFILE  match identity fqdn domain cisco.com  identity local fqdn Client1+AB233422@cisco.com   SPOKE2 crypto ikev2 profile IKEV2_PROFILE  match identity fqdn domain cisco.com  identity local fqdn Client2+EB3223444@cisco.com   HTH ... View more

No, you don't specify your IP address in that command you specify the next hop address, as in the IP address of the router you need to route traffic to, which would be your ISP's router IP address. ... View more

You don't appear to have a default route configured. You need something like this:- route outside 0 0 217.35.150.x Replace the x with the ISP router's IP address and paste that command in. ... View more

You need to be in global configuration mode, enter the command "conf t" - then press enter Then you can enter the nat command ... View more