Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
3
Helpful
7
Replies

One Phase 2 SA not establishing

dervari
Level 1
Level 1

‎06-06-2023 07:50 PM

We have an IKEv2 L2L VPN with one of our customers which has three subnets in the encryption domain.  Today, one of the subnets stopped passing traffic.  Upon examination we found that the Phase 2 child sa for that subnet was not establishing, even with interesting traffic.

The odd thing is that when you run a packet tracer it shows VPN Encrypt and Allow stages, as though the sa were active.  It's almost as if a "phantom" sa exists and preventing the normal establishment for the subnet in question.

Other than a reboot, does anyone have any ideas as to how to track this down and clear it out?  We've done a complete rip/replace of the configuration which didn't help.

Thanks!

Labels:
7 Replies 7

M02@rt37
VIP
VIP

‎06-06-2023 10:53 PM

Hello @dervari,

Before proceeding with other troubleshooting steps, try clearing the existing SA for the affected subnet. You can do this by using the [clear crypto ipsec sa] command on the relevant devices participating in the VPN. This will clear any existing SA entries and allow the negotiation process.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

dervari
Level 1
Level 1
In response to M02@rt37

‎06-07-2023 05:25 AM

This was done, as well as a complete rip/rebuild of the configuration.

The customer rebuilt the VPN on his side (Fortigate) splitting up the configuration into three separate SAs, but now the SA in question is up but shows zero packets encaps/decaps even after a fping of the entire /11 subnet.

0 Helpful

MHM Cisco World
VIP
VIP
In response to dervari

‎06-07-2023 05:37 AM

Use IKEv1 instead , I think IKEv2 not support multi SA (one SA for each subnet)

0 Helpful

dervari
Level 1
Level 1
In response to MHM Cisco World

‎06-07-2023 05:43 AM

We have a number of customers on IKEv2 with multiple subnets.  This was working but just decided to stop passing traffic over this single SA.  There are two other SAs to the customer that are working fine.  The fact that it "just stopped" is really odd.  It's been working for over a year.

MHM Cisco World
VIP
VIP
In response to dervari

‎06-07-2023 05:48 AM

OK, ping to this subent with repeat 1000 times and see if the ACL of IKEv2 hit count increase 

0 Helpful

dervari
Level 1
Level 1
In response to MHM Cisco World

‎06-07-2023 05:58 AM

Already tried fping of the entire /11.  Nada.  Packet capture shows ingress traffic on the correct subinterface from the proper source for all three subnets.

MHM Cisco World
VIP
VIP
In response to dervari

‎06-07-2023 06:10 AM - edited ‎06-07-2023 06:11 AM

I dont get, packet capture for what ?
I need to check if the ACL of IKEv2 of this S2S VPN is detect this subnet if not then there is other ACL of other VPN conflict with this ACL.
also please share the show crypto ikev2 and show crypto ipsec sa 

0 Helpful
Customers Also Viewed These Support Documents