Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
4
Helpful
2
Replies

IKEv2 no inbound packet seen on ASA

manuscript1
Level 1
Level 1

‎11-17-2016 08:15 AM

Hi

I am very familiar with ikev1 but am now attempting an ike v2 site-site tunnel on an asa . I dont see an inbound packet from the third party remote end using "debug crypto ikev2 protocol 127" command . I was expecting to see teh remote IP in the debug . cannot see anything obvious - I do have ikev2 for the HA and see debug from that connection but nothing from outside . x.x.x.x is teh remote peer address in my config ...i am using preshare key .

is there any better debug command or have i missed something obvious ?

any help a bonus !

My config is below :

crypto map CRYPTOMAP 2 match address Outside_cryptomap_1
crypto map CRYPTOMAP 2 set pfs group19
crypto map CRYPTOMAP 2 set peer x.x.x.x
crypto map CRYPTOMAP 2 set ikev2 ipsec-proposal TelephoneticsProposal
crypto map CRYPTOMAP 2 set security-association lifetime seconds 3600
crypto map CRYPTOMAP 2 set nat-t-disable

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 28800

crypto ipsec ikev2 ipsec-proposal TelephoneticsProposal
protocol esp encryption aes-256
protocol esp integrity sha-256

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x  general-attributes
default-group-policy PolicyTelephonetics
tunnel-group 194.168.135.135 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

group-policy PolicyTelephonetics internal
group-policy PolicyTelephonetics attributes
vpn-filter value VPN-Telephonetics
vpn-tunnel-protocol ikev2

Labels:
0 Helpful
2 Replies 2

JP Miranda Z
Cisco Employee
Cisco Employee

‎11-17-2016 07:52 PM

Hi manuscritp1,

You can take a look to the following guide that includes some troubleshooting steps for ikev2 and also explains how to interpret them:

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html#topic4

If can't see any debugs when trying to initiate the tunnel i will take a capture on the outside interface from peer to peer of the tunnel to make sure the traffic is reaching the ASA.

Hope this info helps!!

Rate if helps you!! 

-JP-

manuscript1
Level 1
Level 1
In response to JP Miranda Z

‎11-18-2016 01:08 AM

Many thansk for the pointer JP !

as i used teh adsm i noticed that i had not flagged the allow ike2 on the outside interface - I have now flagged thsi and await the third party to test ! heres hoping :)

0 Helpful
Customers Also Viewed These Support Documents