Showing results for 
Search instead for 
Did you mean: 

Ipsec tunnel up no transmitted packets

Level 1
Level 1

Hi Folks,

I need some help please, it seems I'm missing something but can't figure it out at the moment. I have identical sites using this setup and they are functioning fine.

My setup is a small branch with a cable modem, I have a Cisco 881 routers connected and have configured an ipsec vpn to my HQ. The tunnel is up both phase 1 and phase 2 but traffic is not going over the tunnel.

The access list for the crypto map is being hit as I turned on logging, if I do an extended ping or trace using the svi on the router I get nothing. I have added the router config below

crypto ikev2 proposal MyProposal
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy My-policy
match fvrf any
proposal MyProposal
crypto ikev2 keyring My-keyring
peer peer1
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
crypto ikev2 profile My-profile
match identity remote address
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set My-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
interface FastEthernet0
no ip address
interface FastEthernet4
ip address
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
interface Vlan1
ip address
ip route
access-list 99 permit ip any


Output pf show crypto
sh crypto ikev2 sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

No packets seen on the sh crypto ipsec sa peer command

Any help will be greatly appreciated.


20 Replies 20

I'm also checking and comparing versions with my other branch routers, some are same model ad definite have DH 19 configured.

One difference I noticed on 2 working ones was the Ikev2 sa had PRF:256 which is not in the non-working one. PRF is not in the running config though.

Working Branch

Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/14934 sec

Non Working Branch

Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

you get it I think 

@Alekin what is the difference in hardware and software versions between the working and non-working site?

In IKEv2, PRF (pseudo-random function) would be set to the same as the defined hash algorithm if not explictly defined....however I'd expect it to be displayed in the output once the IKEv2 SA have been established.


No difference in hardware, only IOS image was different!!

And that was the issue as the upgrade resolved the connectivity.


Level 1
Level 1

This issue is now resolved, I had to upgrade the image and this fixed the tunnels.

Lesson learnt, don't overlook IOS version, could've had this resolved much earlier.

Many thanks to @Rob Ingram @MHM Cisco World for contributions and sanity checks along the way, your help was greatly appreciated.

You are so so welcome friend.