Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
1
Helpful
2
Replies

IKEv2 logs are not clear

Mark Pace Balzan
Level 1
Level 1

‎10-27-2025 02:12 AM

Hi,

I have a VPN setup between two cisco IOS routers running IKEv2

It works fine with no issues

I see the logs below and Im not sure I understand what they are.

I see IKEV@-5-SA_DOWN every time the IKEv2 SA lifetime is up and renews. I also changed the lifetime to a lower value and the logs follow the change in lifetime.

Also I do not see any packet loss at the time the SA expires and is renewed and the log issued, so there seems to be no issue at all.

Anyone here can kindly explain the meaning of the logs below.  Are both of the logs  simply informative ?

 

thanks

Mark

 

000333: *Oct 25 00:09:58.014 CET: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

000334: *Oct 25 01:20:17.244 CET: %IKEV2-5-SA_DOWN: SA DOWN

000335: *Oct 25 03:19:15.278 CET: %IKEV2-5-SA_DOWN: SA DOWN

000336: *Oct 25 03:49:06.840 CET: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

000337: *Oct 25 04:43:45.996 CET: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

000338: *Oct 25 05:18:16.319 CET: %IKEV2-5-SA_DOWN: SA DOWN

000339: *Oct 25 06:32:16.072 CET: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to rekey an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535
Labels:
0 Helpful
2 Replies 2

Ben Weber
Level 1
Level 1

‎11-09-2025 10:44 PM - edited ‎11-10-2025 10:19 PM

Hey Mark

Both of these logs are purely informational. As you can see in both IKE-V2-5-OSAL_INITIATE_TUNNEL and IKEV2-5-SA_DOWN, the message is a notification.

The SA_DOWN message is being triggered due to the expiration of the SA (which makes sense, given that the logs follow the change in lifetime).

The OSAL_INITIATE_TUNNEL message shows that the device has received a request to rekey the tunnel (as said in the message).

If it's too noisy for your requirements, I would consider changing the lifetime value to a higher integer.

- BW
Please rate posts if they have been helpful.

Aref Alsouqi
VIP
VIP

‎11-10-2025 06:14 AM

Hi Mark, as already mentioned those logs are informative only. They are being generated when an SA session is about to expire and a negotiation to rekey the session is happening. The old SAs will be torn down when the new ones are established. The rekeying negotiation happens before the old/previous SAs are torn down. So all what you see looks good and does not suggest any issue of any type.

0 Helpful
Customers Also Viewed These Support Documents