cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
975
Views
0
Helpful
3
Replies

FLEXVPN Not Working

csco10971283
Level 1
Level 1

Hello Fellows,

I need an urgent support.

I've configured FlexVPN on my 8500L router, everything seems to be correct according to Cisco documentation but once it's connected, the virtual access interface goes down.

I tried all the solutions on the community pages but nothings made my VPN working.

As well, I updated the AnyConnect client to the latest version but still nothing working.
The error message is  as bellow:

Screenshot 2024-01-04 at 5.09.59 PM.png

My router configuration is as below:

!
aaa authentication login vpn local
aaa authorization network vpn local
!
crypto ikev2 authorization policy vpn
pool vpn
dns 192.168.129.10
route set access-list vpn
!
crypto ikev2 profile vpn
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint vpnuser
aaa authentication anyconnect-eap vpn
aaa authorization group anyconnect-eap list vpn vpn
aaa authorization user anyconnect-eap cached
virtual-template 1
anyconnect profile vpn
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile vpn bootflash:/tips_vpn.xml
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile vpn
set transform-set TS
set ikev2-profile vpn
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
ip mtu 1400
tunnel source TenGigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn
!
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
!

The debugs showing the below:

Jan 4 15:15:21.359: IKEv2:Received Packet [From e.f.g.h:5542/To a.b.c.d:500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:

Jan 4 15:15:21.359: IKEv2:parsing SA payload SA
Jan 4 15:15:21.359: IKEv2:parsing KE payload KE
Jan 4 15:15:21.359: IKEv2:parsing N payload N
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.359: IKEv2:parsing VID payload VID
Jan 4 15:15:21.360: IKEv2:parsing VID payload VID
Jan 4 15:15:21.360: IKEv2:parsing NOTIFY payload NOTIFY(NAT_DETECTION_SOURCE_IP)
Jan 4 15:15:21.360: IKEv2:parsing NOTIFY payload NOTIFY(NAT_DETECTION_DESTINATION_IP)
Jan 4 15:15:21.360: IKEv2:parsing VID payload VID
Jan 4 15:15:21.360: IKEv2:parsing CFG payload CFG
Jan 4 15:15:21.360: IKEv2:parsing NOTIFY payload NOTIFY(REDIRECT_SUPPORTED)

Jan 4 15:15:21.360: IKEv2:(SESSION ID = 111,SA ID = 1):Verify SA init message
Jan 4 15:15:21.360: IKEv2:(SESSION ID = 111,SA ID = 1):Insert SA
Jan 4 15:15:21.360: IKEv2:Searching Policy with fvrf 0, local address a.b.c.d
Jan 4 15:15:21.360: IKEv2:Using the Default Policy for Proposal
Jan 4 15:15:21.360: IKEv2:Found Policy 'default'
Jan 4 15:15:21.360: IKEv2:(SESSION ID = 111,SA ID = 1):Processing IKE_SA_INIT message
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):Received valid config mode data
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):Config data recieved:
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):Config-type: Config-request
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Jan 4 15:15:21.361: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):Set received config mode data
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'vpnuser' 'vpn' 'SLA-TrustPoint' 'TP-self-signed-766694266'
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Jan 4 15:15:21.361: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Jan 4 15:15:21.361: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Jan 4 15:15:21.362: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Jan 4 15:15:21.362: IKEv2:(SESSION ID = 111,SA ID = 1):Request queued for computation of DH key
Jan 4 15:15:21.362: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):Request queued for computation of DH secret
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Jan 4 15:15:21.364: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):Generating IKE_SA_INIT message
Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
Jan 4 15:15:21.364: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Jan 4 15:15:21.364: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'vpnuser' 'vpn' 'SLA-TrustPoint' 'TP-self-signed-766694266'
Jan 4 15:15:21.364: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Jan 4 15:15:21.364: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

Jan 4 15:15:21.364: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5542/From a.b.c.d:500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

Jan 4 15:15:21.365: IKEv2:(SESSION ID = 111,SA ID = 1):Completed SA init exchange
Jan 4 15:15:21.365: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (30 sec) to wait for auth message

Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing VID payload VID
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing IDi payload IDi
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing CERTREQ payload CERTREQ
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing CFG payload CFG
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing SA payload SA
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(IPCOMP_SUPPORTED)
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing TSi payload TSi
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing TSr payload TSr
Jan 4 15:15:21.440: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(INITIAL_CONTACT)
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(USE_TRANSPORT_MODE)
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):parsing OA payload OA
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):parsing OA payload OA
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(ESP_TFC_NO_SUPPORT)
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(NON_FIRST_FRAGS)

Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):Stopping timer to wait for auth message
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):Checking NAT discovery
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):NAT OUTSIDE found
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):NAT detected float to init port 5559, resp port 4500
Jan 4 15:15:21.441: IKEv2:(SESSION ID = 111,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
Jan 4 15:15:21.442: IKEv2-ERROR:% IKEv2 profile not found
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Searching Policy with fvrf 0, local address a.b.c.d
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Using the Default Policy for Proposal
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Found Policy 'default'
Jan 4 15:15:21.442: IKEv2:not a VPN-SIP session
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Jan 4 15:15:21.442: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint vpnuser
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Verify peer's policy
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Peer's policy verified
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Check for EAP exchange
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Check for EAP exchange
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Generate my authentication data
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Get my authentication method
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):My authentication method is 'RSA'
Jan 4 15:15:21.442: IKEv2:(SESSION ID = 111,SA ID = 1):Sign authentication data
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
Jan 4 15:15:21.442: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
Jan 4 15:15:21.457: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authentication data PASSED
Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Authentication material has been sucessfully signed
Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Generating AnyConnect EAP request
Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Sending AnyConnect EAP 'hello' request
Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Constructing IDr payload: 'a.b.c.d' of type 'IPv4 address'
Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP

Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:21.457: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (90 sec) to wait for auth message

Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):parsing EAP payload EAP

Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Stopping timer to wait for auth message
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Processing AnyConnect EAP response
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Checking for Dual Auth
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Generating AnyConnect EAP AUTH request
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Sending AnyConnect EAP 'auth-request'
Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:23.455: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (90 sec) to wait for auth message

Jan 4 15:15:25.475: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

Jan 4 15:15:25.475: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:25.475: IKEv2:(SESSION ID = 111,SA ID = 1):parsing EAP payload EAP

Jan 4 15:15:25.475: IKEv2:(SESSION ID = 111,SA ID = 1):Stopping timer to wait for auth message
Jan 4 15:15:25.475: IKEv2:(SESSION ID = 111,SA ID = 1):Processing AnyConnect EAP response
Jan 4 15:15:25.476: IKEv2:Using authentication method list vpn

Jan 4 15:15:25.476: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
Jan 4 15:15:25.476: IKEv2-ERROR:AnyConnect EAP - failed to get author list
Jan 4 15:15:25.477: IKEv2:Received response from aaa for AnyConnect EAP
Jan 4 15:15:25.477: IKEv2:(SESSION ID = 111,SA ID = 1):Generating AnyConnect EAP VERIFY request
Jan 4 15:15:25.477: IKEv2:(SESSION ID = 111,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request
Jan 4 15:15:25.477: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

Jan 4 15:15:25.477: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:25.477: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (90 sec) to wait for auth message

Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):parsing EAP payload EAP

Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Stopping timer to wait for auth message
Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Processing AnyConnect EAP ack response
Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Generating AnyConnect EAP success request
Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Sending AnyConnect EAP success status message
Jan 4 15:15:25.520: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.
Payload contents:
EAP

Jan 4 15:15:25.521: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:25.521: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (90 sec) to wait for auth message

Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):parsing AUTH payload AUTH

Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):Stopping timer to wait for auth message
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):Verify peer's authentication data
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 48
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Jan 4 15:15:25.562: IKEv2:(SESSION ID = 111,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Verification of peer's authentication data PASSED
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Processing INITIAL_CONTACT
Jan 4 15:15:25.563: IKEv2:Using mlist vpn and username vpn for group author request
Jan 4 15:15:25.563: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
Jan 4 15:15:25.563: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Received valid config mode data
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Config data recieved:
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Config-type: Config-request
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-addr, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-netmask, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-dns, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: app-version, length: 29, data: AnyConnect Windows 4.10.08025
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-subnet, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv6-addr, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv6-dns, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv6-subnet, length: 0CEBURU-UTIL-W10
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: reconnect-cleanup-interval, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: reconnect-dpd-interval, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: banner, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: smartcard-removal-disconnect, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFF86
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: def-domain, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: split-exclude, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: split-dns, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: pfs, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: reconnect-token-id, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: reconnect-session-id, length: 0
Jan 4 15:15:25.563: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: reconnect-session-data, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFC00xFFFFFFFFFFFFFFA80x1E0xC
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFAE0xFFFFFFFFFFFFFF800x120x39
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 0
Jan 4 15:15:25.564: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFFDC
Jan 4 15:15:25.564: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.565: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.566: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.566: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.567: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.567: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
Jan 4 15:15:25.568: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.569: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.569: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-dpd-interval in cfg-req
Jan 4 15:15:25.570: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.570: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.571: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.572: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.572: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.573: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.573: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.574: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.575: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.575: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.576: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.576: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.577: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.578: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.578: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.579: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.579: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.580: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.581: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.581: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.582: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 15:15:25.582: IKEv2:(SESSION ID = 111,SA ID = 1):Set received config mode data
Jan 4 15:15:25.582: IKEv2:(SESSION ID = 111,SA ID = 1):Processing IKE_AUTH message
Jan 4 15:15:25.582: IKEv2:% DVTI create request sent for profile vpn with PSH index 1.

Jan 4 15:15:25.582: IKEv2:(SESSION ID = 111,SA ID = 1):
Jan 4 10:15:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Jan 4 10:15:25: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Jan 4 15:15:25.590: IKEv2:% DVTI Vi1 created for profile vpn with PSH index 1.

Jan 4 15:15:25.590: IKEv2:Requesting IPsec policy verification by ikev2 osal engine

Jan 4 15:15:25.590: IKEv2:% Adding assigned IP address 10.150.128.15 to TSi.
Jan 4 15:15:25.590: IKEv2:PSH 1: Filling route_info for the pushed ipv4 addressfor interface Virtual-Access1 and vrf
Jan 4 15:15:25.590: IKEv2:(SESSION ID = 111,SA ID = 1):IPSec policy validate request sent for profile vpn with psh index 1.

Jan 4 15:15:25.600: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

Jan 4 15:15:25.601: IKEv2-ERROR:PSH 1: Adding ivrf in psh route_info
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):PSH: 1 validate proposal callback setting vti_idb Virtual-Access1 and ivrf in psh route_info
Jan 4 15:15:25.601: IKEv2:No reconnect for PSH: 1
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Config data to send:
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Config-type: Config-reply
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-addr, length: 4, data: 10.150.128.15
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-subnet, length: 8, data: 192.168.0.0 255.255.0.0
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: ipv4-dns, length: 4, data: 192.168.129.10
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Attrib type: app-version, length: 261, data: Cisco IOS Software [Cupertino], c8000aes Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.4a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Fri 20-Oct-23 10:52 by mcpre
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Have config mode data to send
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Get my authentication method
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):My authentication method is 'PSK'
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Get peer's preshared key for *$AnyConnectClient$*
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Generate my authentication data
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Use preshared key for id a.b.c.d, key len 48
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Get my authentication method
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):My authentication method is 'PSK'
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Generate my authentication data
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Use preshared key for id a.b.c.d, key len 48
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Jan 4 15:15:25.601: IKEv2:(SESSION ID = 111,SA ID = 1):ESP Proposal: 2, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.
Payload contents:
AUTH CFG SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:25.602: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Jan 4 15:15:25.602: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):Session with IKE ID PAIR (cisco, a.b.c.d) is UP
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 0,SA ID = 0):IKEv2 MIB tunnel started, tunnel index 1
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):Load IPSEC key material
Jan 4 15:15:25.602: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Jan 4 15:15:25.609: IKEv2:(SESSION ID = 111,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Jan 4 10:15:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Jan 4 15:15:25.610: IKEv2:(SESSION ID = 111,SA ID = 1):Checking for duplicate IKEv2 SA
Jan 4 15:15:25.610: IKEv2:(SESSION ID = 111,SA ID = 1):No duplicate IKEv2 SA found
Jan 4 15:15:25.611: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (8 sec) to delete negotiation context

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing DELETE payload DELETE
Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(DELETE_REASON)

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):Building packet for encryption.

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):Sending Packet [To e.f.g.h:5559/From a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 6
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

Jan 4 15:15:32.878: IKEv2:(SESSION ID = 111,SA ID = 1):Process delete request from peer
Jan 4 15:15:32.878: IKEv2:(SESSION ID = 111,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x3D75A12AF31DB030 RSPI: 0x047E9A09B2A25C59]
Jan 4 15:15:32.878: IKEv2:IKEv2 removing route 10.150.128.15 255.255.255.255 via Virtual-Access1 in vrf global
Jan 4 15:15:32.878: IKEv2:(SESSION ID = 111,SA ID = 1):Check for existing active SA
Jan 4 15:15:32.878: IKEv2:(SESSION ID = 111,SA ID = 1):Delete all IKE SAs
Jan 4 15:15:32.878: IKEv2:(SESSION ID = 111,SA ID = 1):Deleting SA
Jan 4 15:15:32.879: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007F1BF1FF1A38

Jan 4 10:15:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Jan 4 10:15:32: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

 

Can anyone support me as we're in a downtime now & this VPN needs to come up as soon as possible.

Thanks,

Ahmed Ossama
CCIE#26611
3 Replies 3

tvotna
Spotlight
Spotlight

I remember there was a limitation w.r.t AnyConnect Profile name for FlexVPN: CSCvi11975, but honestly have no idea if it's still valid for 8500 and modern software versions. But you can try: rename the profile to acvpn.xml and reconfigure: crypto vpn anyconnect profile vpn bootflash:/acvpn.xml. If this doesn't help, upload it manually to \Profile folder on the client (e.g. C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) or something like that. If this doesn't help too, you'd need to collect DART on the client and analyze it -- it is the client which doesn't like something and terminates the connection, not the headend.

HTH

 

 

csco10971283
Level 1
Level 1

I've collected DART & I can't find anything wrong up to my experience, can you point me where to check.
Also, I've changed the profile name to acvpn & still cannot connect.
Am getting this errors:

4 16:54:54.341: IKEv2-ERROR:AnyConnect EAP - failed to get author list
Jan 4 16:54:54.440: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 16:54:54.440: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 16:54:54.441: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 16:54:54.442: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 16:54:54.442: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Jan 4 16:54:54.443: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
Jan 4 16:54:54.443: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req

 

 

Jan 4 11:54:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Jan 4 11:54:54: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Jan 4 16:54:54.475: IKEv2-ERROR:PSH 1: Adding ivrf in psh route_info
Jan 4 11:54:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
TIPS-GW-RTR#
TIPS-GW-RTR#
TIPS-GW-RTR#
TIPS-GW-RTR#
TIPS-GW-RTR#
Jan 4 16:55:01.861: IKEv2-ERROR:IKEv2 tunnel stop failed tunnel info 0x80007F1BF1551460

Jan 4 11:55:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Jan 4 11:55:01: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Jan 4 11:55:01: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console

Ahmed Ossama
CCIE#26611

Ignore these errors. Client connects successfully and IPv4 address is assigned. Then, after 7 seconds it sends Delete Notify:

Jan 4 10:15:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Jan 4 15:15:25.610: IKEv2:(SESSION ID = 111,SA ID = 1):Checking for duplicate IKEv2 SA
Jan 4 15:15:25.610: IKEv2:(SESSION ID = 111,SA ID = 1):No duplicate IKEv2 SA found
Jan 4 15:15:25.611: IKEv2:(SESSION ID = 111,SA ID = 1):Starting timer (8 sec) to delete negotiation context

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):Received Packet [From e.f.g.h:5559/To a.b.c.d:4500/VRF i0:f0]
Initiator SPI : 3D75A12AF31DB030 - Responder SPI : 047E9A09B2A25C59 Message id: 6
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing ENCR payload
Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing DELETE payload DELETE
Jan 4 15:15:32.877: IKEv2:(SESSION ID = 111,SA ID = 1):parsing NOTIFY payload NOTIFY(DELETE_REASON)

I guess that IKEv2 plugin disconnects because it is told to by some other AnyConnect module, e.g. downloader. The downloader runs over TCP/443 (UDP/500,4500 is unsupported) and probably fails because FlexVPN on IOS routers, unlike ASA/FTD, may still not support so-called "TCP/443 client-services for IKEv2". This is what

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html?dtid=osscdc000283#toc-hId--1397212637

talks about when it says "This is the reason that the XML profile is installed on the client is mandatory to establish the IKEv2/IPsec tunnel with Cisco IOS® XE VPN gateway".

So far as I remember, the command "crypto vpn anyconnect profile vpn bootflash:/acvpn.xml" doesn't help client download profile automatically. Most likely it only sets the filename on the router to calculate MD5 hash over the profile and send the hash to the client so that the client can make decision, whether it needs to launch downloader component to update the profile or not. To compare received hash the client still needs the file on the local filesystem to calculate its own hash to compare with received hash. That is why you need to upload profile manually to the client and it should be identical with what the router has on its flash. The file name may still be fixed even in latest IOS versions, unless the code was changed.

This is how it was working few years back. Did you upload AnyConnect profile manually and put it into correct AnyConnect folder?

In the AnyConnect log you need to find the place where the client disconnects. This can be done easily (in 30-40 minutes max) by reading the log and correlating timestamps with IOS.

HTH