cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3580
Views
5
Helpful
5
Replies
36223
Beginner

IKEv2 VTI tunnel up/down

one of my IKEv2 tunnels is stuck in up/down but the other one is up/up and working.  Can someone help me fix this?  See configs and debugs below.  IP addresses have been modified but hopefully you can still follow.

1 ACCEPTED SOLUTION

Accepted Solutions

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

View solution in original post

5 REPLIES 5
ashok_boin
Contributor

You have not specified which specific tunnel is down.

However, there is authentication issue for one which is taking one of this "down". Please refer the following link for further troubleshooting & provide more information of relevant "show" and 'debug" outputs.

19490: Nov 18 09:56:36.294 EST: IKEv2-ERROR:(SESSION ID = 42128,SA ID = 1):: Failed to locate an item in the database 019491: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Verification of peer's authentication data FAILED 019492: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Auth exchange failed

 

With best regards...
Ashok

interface tunnel 3 with peer IP x.x.229.152 is up/down

Thank you. It looks Auth failure issue is not relevant for this peer then. 

Can you please post conditional debug (link below) of "debug crypto isakmp" at both ends of tunnels?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-debug-sup.html

 

Regards...

Ashok.


With best regards...
Ashok

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

Excellent. Glad to know that you could able to resolve


With best regards...
Ashok
Create
Recognize Your Peers
Content for Community-Ad