Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5721
Views
5
Helpful
6
Replies

IKEv2 VTI tunnel up/down

Go to solution
36223
Level 1
Level 1

‎11-18-2021 07:03 AM - edited ‎11-18-2021 07:20 AM

one of my IKEv2 tunnels is stuck in up/down but the other one is up/up and working.  Can someone help me fix this?  See configs and debugs below.  IP addresses have been modified but hopefully you can still follow.

Labels:
Preview file
2 KB
Preview file
52 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
36223
Level 1
Level 1
In response to ashok_boin

‎11-19-2021 07:00 AM

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ashok_boin
Level 5
Level 5

‎11-18-2021 08:02 AM

You have not specified which specific tunnel is down.

However, there is authentication issue for one which is taking one of this "down". Please refer the following link for further troubleshooting & provide more information of relevant "show" and 'debug" outputs.

19490: Nov 18 09:56:36.294 EST: IKEv2-ERROR:(SESSION ID = 42128,SA ID = 1):: Failed to locate an item in the database 019491: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Verification of peer's authentication data FAILED 019492: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Auth exchange failed

 

With best regards...
Ashok

Go to solution
36223
Level 1
Level 1
In response to ashok_boin

‎11-18-2021 08:16 AM

interface tunnel 3 with peer IP x.x.229.152 is up/down

0 Helpful

Go to solution
ashok_boin
Level 5
Level 5
In response to 36223

‎11-18-2021 08:48 PM

Thank you. It looks Auth failure issue is not relevant for this peer then. 

Can you please post conditional debug (link below) of "debug crypto isakmp" at both ends of tunnels?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-debug-sup.html

 

Regards...

Ashok.


With best regards...
Ashok
0 Helpful

Go to solution
36223
Level 1
Level 1
In response to ashok_boin

‎11-19-2021 07:00 AM

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

0 Helpful

Go to solution
ashok_boin
Level 5
Level 5
In response to 36223

‎11-21-2021 12:43 AM

Excellent. Glad to know that you could able to resolve


With best regards...
Ashok
0 Helpful

Go to solution
BilalButt62333
Level 1
Level 1

‎10-11-2022 02:45 AM

how did you apply to debug and how it shows it kindly let me know which commands you used, i also have some issues regarding IPsec ikev2 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents