Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6372
Views
0
Helpful
1
Replies

IKVE2 IPSEC not comes up

VinothkumarRajendran29612
Level 1
Level 1

‎04-19-2021 09:45 PM

Between the ISR Router ISR4331, I have configured IKEv2, but the tunnel comes up.

Setup like HUb and spoke
in the HUb router more than 35 tunnels are there, am facing issue with only one site.

 

Logs collected from spoke router :

Apr 15 12:32:03.188: IKEv2:% Getting preshared key from profile keyring IKEV2-KEYRING
Apr 15 12:32:03.189: IKEv2:% Matched peer block 'routerR02'
Apr 15 12:32:03.189: IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address xx.xx.xx.xx
Apr 15 12:32:03.189: IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'IKEV2-POLICY'
Apr 15 12:32:03.190: IKEv2-ERROR:Address type 1620352985 not supported

Apr 15 12:32:03.190: IKEv2:SA is already in negotiation, hence not negotiating again
Apr 15 12:32:04.853: IKEv2:(SESSION ID = 3,SA ID = 1):Retransmitting packet

Apr 15 12:32:04.853: IKEv2:(SESSION ID = 3,SA ID = 1):Sending Packet [To XX.xx.xx.xx:500/From xx.xx.xx.xx:500/VRF i0:f0]
Initiator SPI : B5798795A3E64F90 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Apr 15 12:32:09.649: IKEv2-ERROR:(SESSION ID = 3,SA ID = 1):: Maximum number of retransmissions reached
Apr 15 12:32:09.649: IKEv2:(SESSION ID = 3,SA ID = 1):Failed SA init exchange
Apr 15 12:32:09.649: IKEv2-ERROR:(SESSION ID = 3,SA ID = 1):Initial exchange failed: Initial exchange failed
Apr 15 12:32:09.649: IKEv2:(SESSION ID = 3,SA ID = 1):Abort exchange
Apr 15 12:32:09.650: IKEv2:(SESSION ID = 3,SA ID = 1):Deleting SA

 

For IKEv2 what debug command, i need to run in the HUb router or kindly help us to fix the issue.

 

Thanks,

Vinothkumar.R

 

2 people had this problem
Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎04-20-2021 05:05 AM

If you have multiple site to site VPNs make sure you use the debug crypto condition peer x.x.x.x command (where x.x.x.x is the IP of the remote VPN router)

then run the commands

debug crypto ikev2 packet

debug crypto ikev2 internal

debug crypto ipsec sa

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents