cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4254
Views
5
Helpful
6
Replies

IKEv2 VTI tunnel up/down

36223
Beginner
Beginner

one of my IKEv2 tunnels is stuck in up/down but the other one is up/up and working.  Can someone help me fix this?  See configs and debugs below.  IP addresses have been modified but hopefully you can still follow.

1 Accepted Solution

Accepted Solutions

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

View solution in original post

6 Replies 6

ashok_boin
Contributor
Contributor

You have not specified which specific tunnel is down.

However, there is authentication issue for one which is taking one of this "down". Please refer the following link for further troubleshooting & provide more information of relevant "show" and 'debug" outputs.

19490: Nov 18 09:56:36.294 EST: IKEv2-ERROR:(SESSION ID = 42128,SA ID = 1):: Failed to locate an item in the database 019491: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Verification of peer's authentication data FAILED 019492: Nov 18 09:56:36.295 EST: IKEv2:(SESSION ID = 42128,SA ID = 1):Auth exchange failed

 

With best regards...
Ashok

interface tunnel 3 with peer IP x.x.229.152 is up/down

Thank you. It looks Auth failure issue is not relevant for this peer then. 

Can you please post conditional debug (link below) of "debug crypto isakmp" at both ends of tunnels?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-debug-sup.html

 

Regards...

Ashok.


With best regards...
Ashok

I figured it out using debugs.  Auth failure was occurring b/c the remote peer was using incorrect source peer IP address.  Once the correct source peer IP was added to VPN tunnel configuration, the SVTI came up and established security association.

Excellent. Glad to know that you could able to resolve


With best regards...
Ashok

BilalButt62333
Beginner
Beginner

how did you apply to debug and how it shows it kindly let me know which commands you used, i also have some issues regarding IPsec ikev2 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers