- Cisco Community
- Technology and Support
- Security
- VPN
- VPN IKEv2, Tunnel goes up and down
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN IKEv2, Tunnel goes up and down
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2016 10:42 AM
Hello everyone,
(please help :) )
i have a S2S VPN IKEv2 for Sites.
since many weeks we loose the connection and the Tunnel goes UP and DOWN.
*Nov 24 18:25:36.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:25:58.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:26:06.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:26:28.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:26:30.111: %SEC-6-IPACCESSLOGNP: list 23 denied 0 59.127.117.140 -> 0.0.0.0, 1 packet
*Nov 24 18:26:36.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:26:58.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:27:17.611: %SEC-6-IPACCESSLOGNP: list 23 denied 0 219.159.82.24 -> 0.0.0.0, 1 packet
*Nov 24 18:27:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:27:55.079: %SEC-6-IPACCESSLOGNP: list 23 denied 0 181.20.142.92 -> 0.0.0.0, 1 packet
*Nov 24 18:27:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:28:07.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:28:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:28:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:28:47.975: %SEC-6-IPACCESSLOGNP: list 23 denied 0 188.3.122.59 -> 0.0.0.0, 1 packet
*Nov 24 18:28:59.687: %SEC-6-IPACCESSLOGNP: list 23 denied 0 216.67.41.218 -> 0.0.0.0, 1 packet
*Nov 24 18:28:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:29:07.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:29:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:29:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:29:59.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:30:38.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:30:59.687: %SEC-6-IPACCESSLOGNP: list 23 denied 0 168.126.145.87 -> 0.0.0.0, 1 packet
*Nov 24 18:31:00.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:31:08.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:31:30.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:31:38.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:32:00.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:32:08.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:32:30.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
additionally, i executed the "debug crypto ikev2 packet"
and i have received the output below
*Nov 24 18:18:33.991: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 816
Payload contents:
ENCR Next payload: VID, reserved: 0x0, length: 788
*Nov 24 18:18:33.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
DCDE_VPNrtr#
*Nov 24 18:18:43.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:45.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:47.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:49.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:51.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:53.995: IKEv2-PAK:(SESSION ID = 228,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:18:55.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov 24 18:19:03.951: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 508
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 144
last proposal: 0x0, reserved: 0x0, length: 140
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Nov 24 18:19:03.959: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 412
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Nov 24 18:19:03.987: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 624
Payload contents:
VID Next payload: IDi, reserved: 0x0, length: 20
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
AUTH Next payload: CFG, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
CFG Next payload: SA, reserved: 0x0, length: 301
cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0
*Nov 24 18:19:03.987: attrib type: internal IP4 DNS, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP4 DNS, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP4 NBNS, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP4 NBNS, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP4 subnet, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP6 DNS, length: 0
*Nov 24 18:19:03.987: attrib type: internal IP6 subnet, length: 0
*Nov 24 18:19:03.987: attrib type: application version, length: 241
attrib type: Unknown - 28675, length: 0
*Nov 24 18:19:03.987: attrib type: Unknown - 28672, length: 0
*Nov 24 18:19:03.987: attrib type: Unknown - 28692, length: 0
*Nov 24 18:19:03.987: attrib type: Unknown - 28681, length: 0
*Nov 24 18:19:03.987: attrib type: Unknown - 28674, length: 0
*Nov 24 18:19:03.987: SA Next payload: TSi, reserved: 0x0, length: 44
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: INITIAL_CONTACT
NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
Payload contents:
VID Next payload: IDr, reserved: 0x0, length: 20
IDr Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
AUTH Next payload: CFG, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
CFG Next payload: SA, reserved: 0x0, length: 505
cfg type: CFG_REPLY, reserved: 0x0, reserved: 0x0
*Nov 24 18:19:03.991: attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: internal IP4 subnet, length: 8
attrib type: application version, length: 241
SA Next payload: TSi, reserved: 0x0, length: 44
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
*Nov 24 18:19:03.991: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 816
Payload contents:
ENCR Next payload: VID, reserved: 0x0, length: 788
*Nov 24 18:19:03.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 24 18:19:13.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
DCDE_VPNrtr#
*Nov 24 18:19:15.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:19:17.995: IKEv2-PAK:(SESSION ID = 229,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 0, length: 96
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 68
*Nov 24 18:19:19.711: %SEC-6-IPACCESSLOGNP: list 23 denied 0 126.42.18.155 -> 0.0.0.0, 1 packet
- Labels:
-
VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide