IKEv2 Phase 1 and 2 up but tunnel interface down

Tanveer Dewan · ‎11-16-2015

I am setting up a new site to site IPSec on Cisco IOS router.

The phase 1 and 2 both show up but the tunnel interface goes down in 4 seconds.

*Nov 16 17:16:45.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
*Nov 16 17:16:48.388: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down

Ikev2 and IPsec debugs do not tell a reason for this.

-------------------//---------------

Show output:

A#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
6 2.2.2.2/4500 1.1.1.1/4500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/184 sec

Tunnel-id Local Remote fvrf/ivrf Status
5 2.2.2.2/4500 1.1.1.1/4500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/195 sec

Tunnel-id Local Remote fvrf/ivrf Status
11 2.2.2.2/4500 1.1.1.1/4500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/137 sec

Tunnel-id Local Remote fvrf/ivrf Status
2 2.2.2.2/4500 1.1.1.1/4500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/84 sec

A(config-if)#do sh cry ipsec sa | b unnel2
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 2.2.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

-------------------//---------------

Phase 2 debugs:

*Nov 14 14:15:25.350: IKEv2:(SESSION ID = 7,SA ID = 1):Received Packet [From 1.1.1.1:4500/To 2.2.2.2:4500/VRF i0:f0]
Initiator SPI : DF20BCD830183163 - Responder SPI : A138DDE01C2C2E93 Message id: 662
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

*Nov 14 14:15:25.350: IKEv2:(SESSION ID = 7,SA ID = 1):Received DPD/liveness query
*Nov 14 14:15:25.350: IKEv2:(SESSION ID = 7,SA ID = 1):Building packet for encryption.
*Nov 14 14:15:25.354: IKEv2:(SESSION ID = 7,SA ID = 1):Sending ACK to informational exchange

*Nov 14 14:15:25.354: IKEv2:(SESSION ID = 7,SA ID = 1):Sending Packet [To 1.1.1.1:4500/From 2.2.2.2:4500/VRF i0:f0]
Initiator SPI : DF20BCD830183163 - Responder SPI : A138DDE01C2C2E93 Message id: 662
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

A#

*Nov 14 14:15:34.354: IKEv2:(SESSION ID = 7,SA ID = 1):Received Packet [From 1.1.1.1:4500/To 2.2.2.2:4500/VRF i0:f0]
Initiator SPI : DF20BCD830183163 - Responder SPI : A138DDE01C2C2E93 Message id: 663
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

*Nov 14 14:15:34.354: IKEv2:(SESSION ID = 7,SA ID = 1):Received DPD/liveness query
*Nov 14 14:15:34.354: IKEv2:(SESSION ID = 7,SA ID = 1):Building packet for encryption.
*Nov 14 14:15:34.358: IKEv2:(SESSION ID = 7,SA ID = 1):Sending ACK to informational exchange

*Nov 14 14:15:34.358: IKEv2:(SESSION ID = 7,SA ID = 1):Sending Packet [To 1.1.1.1:4500/From 2.2.2.2:4500/VRF i0:f0]
Initiator SPI : DF20BCD830183163 - Responder SPI : A138DDE01C2C2E93 Message id: 663
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

-------------------//---------------

What would cause the tunnel interface to go down?

Tanveer Dewan · ‎11-17-2015

Anyone?