cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2168
Views
0
Helpful
11
Replies

No logs for ikev2 on router

cisco-ninja
Level 1
Level 1

Hi. I was hoping to see ikev2 logs after entering "debug crypto ikev2" on a cisco router (C891FJ-K9) but nothing shows up on the router log. What could I be missing here?

1 Accepted Solution

Accepted Solutions

@cisco-ninja you are using a policy based VPN (crypto map) you will need to generate interesting traffic before the tunnel will even attempt to establish, and only then will it generate logs. Run a ping to a destination from the VLAN10 network - from the router "ping <dest ip> source vlan 10"

You've got NAT configured. What is the configuration of list "1"? Are you unintentially translating the internal traffic behind VLAN20 - this would cause a problem with the VPN as the crypto ACL is configured to use zz.zz.zz.zz (VLAN10) as the source.

Why do you even need NAT if you are tunnelling all traffic over the VPN?

What the configuration of the ACLs on the VLAN20 interface?

View solution in original post

11 Replies 11

is your router have access to IPsec peer? is it pingable if ping enabled on peer side? did you configured default route towards internet (to connect with IPSec peer)?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

cisco-ninja
Level 1
Level 1

@Kasun Bandara 
Thank you. 

is your router have access to IPsec peer?  --> sorry not sure what you mean...

is it pingable if ping enabled on peer side? --> yes

did you configured default route towards internet (to connect with IPSec peer)? --> yes

Actually, there is another crypto map using IKEv1 I believe which is working normally.

if it pingable both sides, i can guess that you have access between 2 IPsec peers. is that IKEv1 configured for same peer?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

cisco-ninja
Level 1
Level 1

@Kasun Bandara 
sorry i meant it was pingable using the global Ip addresses on both sides. Not able to ping LAN IPs.
IKEv1 is configured for a different router.

what is the exact debug command you are using? also are you connected to router via Console or SSH/Telnet?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Share config I will check

cisco-ninja
Level 1
Level 1

@Kasun Bandara 
debug crypto ikev2
this is the exact debug command nothing special i hope

@MHM Cisco World 
please see the attached file that i have posed in the beginning.

cisco-ninja
Level 1
Level 1

@Kasun Bandara 
i was accessing via ssh but i went to the office today and connected via console but same output. 

@cisco-ninja you are using a policy based VPN (crypto map) you will need to generate interesting traffic before the tunnel will even attempt to establish, and only then will it generate logs. Run a ping to a destination from the VLAN10 network - from the router "ping <dest ip> source vlan 10"

You've got NAT configured. What is the configuration of list "1"? Are you unintentially translating the internal traffic behind VLAN20 - this would cause a problem with the VPN as the crypto ACL is configured to use zz.zz.zz.zz (VLAN10) as the source.

Why do you even need NAT if you are tunnelling all traffic over the VPN?

What the configuration of the ACLs on the VLAN20 interface?

Thank you all for your help!
@Rob Ingram It worked! Thank you so much. Your advice cleared the issue!

ip nat insde source list 100 interface vlan 20 overload 
!
ip access-list NAT-ACL extended 
deny ip <LAN your site> <LAN other site>

permit ip <LAN your side> <any>
!
ip access-list IKEv2-ACL extended 
permit ip <LAN your site> <LAN other site>