We have an IKEv2 L2L VPN with one of our customers which has three subnets in the encryption domain. Today, one of the subnets stopped passing traffic. Upon examination we found that the Phase 2 child sa for that subnet was not establishing, even with interesting traffic.
The odd thing is that when you run a packet tracer it shows VPN Encrypt and Allow stages, as though the sa were active. It's almost as if a "phantom" sa exists and preventing the normal establishment for the subnet in question.
Other than a reboot, does anyone have any ideas as to how to track this down and clear it out? We've done a complete rip/replace of the configuration which didn't help.
Before proceeding with other troubleshooting steps, try clearing the existing SA for the affected subnet. You can do this by using the [clear crypto ipsec sa] command on the relevant devices participating in the VPN. This will clear any existing SA entries and allow the negotiation process.
This was done, as well as a complete rip/rebuild of the configuration.
The customer rebuilt the VPN on his side (Fortigate) splitting up the configuration into three separate SAs, but now the SA in question is up but shows zero packets encaps/decaps even after a fping of the entire /11 subnet.
We have a number of customers on IKEv2 with multiple subnets. This was working but just decided to stop passing traffic over this single SA. There are two other SAs to the customer that are working fine. The fact that it "just stopped" is really odd. It's been working for over a year.
I dont get, packet capture for what ?
I need to check if the ACL of IKEv2 of this S2S VPN is detect this subnet if not then there is other ACL of other VPN conflict with this ACL.
also please share the show crypto ikev2 and show crypto ipsec sa