Showing results for 
Search instead for 
Did you mean: 

One Phase 2 SA not establishing


We have an IKEv2 L2L VPN with one of our customers which has three subnets in the encryption domain.  Today, one of the subnets stopped passing traffic.  Upon examination we found that the Phase 2 child sa for that subnet was not establishing, even with interesting traffic.

The odd thing is that when you run a packet tracer it shows VPN Encrypt and Allow stages, as though the sa were active.  It's almost as if a "phantom" sa exists and preventing the normal establishment for the subnet in question.

Other than a reboot, does anyone have any ideas as to how to track this down and clear it out?  We've done a complete rip/replace of the configuration which didn't help.


7 Replies 7


Hello @dervari,

Before proceeding with other troubleshooting steps, try clearing the existing SA for the affected subnet. You can do this by using the [clear crypto ipsec sa] command on the relevant devices participating in the VPN. This will clear any existing SA entries and allow the negotiation process.


Best regards
******* If This Helps, Please Rate *******

This was done, as well as a complete rip/rebuild of the configuration.

The customer rebuilt the VPN on his side (Fortigate) splitting up the configuration into three separate SAs, but now the SA in question is up but shows zero packets encaps/decaps even after a fping of the entire /11 subnet.

Use IKEv1 instead , I think IKEv2 not support multi SA (one SA for each subnet)

We have a number of customers on IKEv2 with multiple subnets.  This was working but just decided to stop passing traffic over this single SA.  There are two other SAs to the customer that are working fine.  The fact that it "just stopped" is really odd.  It's been working for over a year.

OK, ping to this subent with repeat 1000 times and see if the ACL of IKEv2 hit count increase 

Already tried fping of the entire /11.  Nada.  Packet capture shows ingress traffic on the correct subinterface from the proper source for all three subnets.

I dont get, packet capture for what ?
I need to check if the ACL of IKEv2 of this S2S VPN is detect this subnet if not then there is other ACL of other VPN conflict with this ACL.
also please share the show crypto ikev2 and show crypto ipsec sa 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: