Hello,

I have a hub and spoke topology with IPSEC tunnels (FlexVPN) and the tunnels are working good.

The problem is that I have unwanted ikev2 requests every minutes, while the IPSEC tunnel is already established to the hub.

When the tunnel is administratively shutdown, the unwanted ikev2 requests continues.

Only the tunnel is using the ipsec/ikev2 profile and the smart profiles are disabled on the router.

So I don't understand which process can send this ike requests.

Here is the debug on the hub from this requests :

Jan 30 16:38:09.643 UTC: IKEv2:Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f0]
Initiator SPI : AA1A43B492F7B7E7 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Jan 30 16:38:09.644 UTC: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 354
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
 KE  Next payload: N, reserved: 0x0, length: 72
    DH group: 19, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
 NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)  Next payload: VID, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
 VID  Next payload: NONE, reserved: 0x0, length: 20

Jan 30 16:38:09.651 UTC: IKEv2:(SESSION ID = 907513,SA ID = 49):Sending Packet [To x.x.x.x:500/From x.x.x.x:500/VRF i0:f0]
Initiator SPI : AA1A43B492F7B7E7 - Responder SPI : AD7760A99C62A431 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Jan 30 16:38:09.651 UTC: IKEv2-PAK:(SESSION ID = 907513,SA ID = 49):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 399
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
 KE  Next payload: N, reserved: 0x0, length: 72
    DH group: 19, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 45
    Cert encoding X.509 Certificate - signature
 NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)  Next payload: VID, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
 VID  Next payload: NONE, reserved: 0x0, length: 20

From the spoke, the ike request is not catch by the debug, but the response from the hub generate an error :

Jan 30 17:09:38.220 UTC: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f0]
Initiator SPI : D25C5A1E83AF2C48 - Responder SPI : 733C7D9C5E83D58F Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Jan 30 17:09:38.220 UTC: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: SA, version: 2.0
Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 399
Jan 30 17:09:38.220 UTC: IKEv2-ERROR:: A supplied parameter is incorrect
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Got a packet from dispatcher
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Processing an item off the pak queue
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Couldn't find matching SA
Jan 30 17:09:53.035 UTC: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

If you have any idea, please let me know