cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3263
Views
0
Helpful
5
Replies

IKEv2 - Tunnel UP but no traffic

lemontree_61089
Level 1
Level 1

Hi,

I am trying to set up an VPN tunnel between two Cisco routers using FlexVPN. The IKEv2 tunnel seems to be UP and same for the IPsec tunnels, however no traffic is able to pass over the tunnel.

Looking at the details of the VPN :

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0.1
Uptime: 20:29:17
Session status: UP-ACTIVE
Peer: IP port 4500 fvrf: GRE ivrf: GRE
IKEv2 SA: local IP/4500 remote IP/4500 Active
Capabilities:(none) connid:2 lifetime:23:49:30
IPSEC FLOW: permit 47 host IP host IP
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 54735 drop 0 life (KB/Sec) 4330881/12642
Outbound: #pkts enc'ed 91411 drop 0 life (KB/Sec) 4325172/12642
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 68 life (KB/Sec) 4335581/85769
Outbound: #pkts enc'ed 67 drop 0 life (KB/Sec) 4335576/85769

I am having everything dropped on one of the two peers. So then looking at the details of the IPsec SA, we can see :

 ##pkts replay failed (rcv): 68

Also, I have this log message :

Nov  8 14:36:57 MET: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Replay Failure:srcadr=IP,dstadr=IP,size=144

So it looks it is the anti-replay mechanism which is dropping the traffic on one direction. First, I do not understand why it is blocking all traffic, and also I did try to disable this mechanism or to increase the window but that did not change anything. Also the second peer is fine, and does not drop anything.

Let me add I am using a VTI, and the same tunnel with GRE/IPsec with IKEv1 works fine.

If you have any idea or input, please go ahead :)

5 Replies 5

JP Miranda Z
Cisco Employee
Cisco Employee

Hi,

Can you share a sanitized config of the Flex VPN?

Hope this info helps!!

Rate if helps you!! 

-JP-

Sure, have a look below:

Peer1

crypto ikev2 keyring peer2
 peer IP
  address IP
   pre-shared-key local PSK
   pre-shared-key remote PSK
!
crypto ikev2 profile IKEv2-profile
 match fvrf VRF
 match identity remote fqdn peer2
 identity local fqdn peer1
 authentication remote pre-share
 authentication local pre-share
 keyring local peer2
!
crypto ipsec profile ipsec-profile
 set security-association replay window-size 1024
 set transform-set trans-2
 set ikev2-profile IKEv2-profile
!
interface Tunnel1184
 vrf forwarding VRF
 ip address IP
 ip mtu 1220
 ip tcp adjust-mss 1180
 ip ospf mtu-ignore
 ip ospf cost 1000
 keepalive 10 3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
 tunnel source IP
 tunnel destination IP
 tunnel vrf VRF


=================================

Peer2

crypto ikev2 keyring peer1
 peer IP
  address IP
  pre-shared-key local PSK
  pre-shared-key remote PSK
!
crypto ikev2 profile IKEv2-profile
 match identity remote fqdn peer1
 identity local fqdn peer2
 authentication local pre-share
 authentication remote pre-share
 keyring peer1
!
crypto ipsec profile ipsec-profile
 set security-association replay window-size 1024
 set transform-set trans-2
 set ikev2-profile IKEv2-profile
!
interface Tunnel10
 ip address IP
 ip mtu 1220
 ip tcp adjust-mss 1180
 ip ospf cost 1000
 ip ospf mtu-ignore
 load-interval 30
 keepalive 10 3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
 tunnel source IP
 tunnel destination IP

Also, I did reproduce the configuration on GNS3, and it is working like a charm..

Thanks,

Graham Bartlett
Cisco Employee
Cisco Employee

Hi

I noticed this;

IPSEC FLOW: permit 47 host IP host IP

which looks like it's using GRE.. do you have multiple tunnels configured?

cheers

It is a migration from an IKEv1 tunnel with GRE/IPsec to IKEv2 with VTI only. So this is probably coming from the old tunnel

MANI .P
Level 1
Level 1

Hi I think is bug ...

i would recommend you to refer the document .

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCef47566/?referring_site=bugquickviewredir

Regards ,

Mani

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: