10-01-2024 08:38 AM
hi,
i would like to express my issue and if you are able to advice me . i have a company router IR1101 with internet connection provided with private ipv4 address in the WAN interface. my company uses DMVPN in order to connect to company infrastructure. The issue is tha the connection of DMVPN is lost every 4 hours for 20-30 minutes. I checked the logs and i saw that there is authentication failure in the exchange message of the ikev2 . it is sometrhing that i cannot to explain since the site and router worked prefectly before this issue appeared.
Do you have any suggestions?
10-01-2024 08:49 AM
Run ip sla between spoke and hub make tunnel always UP.
It can ikev2 sa issue
MHM
10-01-2024 11:27 AM
what kind of logs can you post the logs here to look ?
is this Logs from head end or branch router, can you post both the logs ?
is this only 1 Router losing connection every 4 hours ? or all other branch routers ?
what is the head end router, what IOS code running both the sides ?
Guide lines how to troubleshoot :
10-01-2024 01:20 PM
10-01-2024 02:41 PM - edited 10-01-2024 02:44 PM
Hello @georgesofroniadis ,
at some point in the debug we see may requests no one of them get an answer
so at some point we see:
>> Oct 1 2024 13:33:40.872 UTC: IKEv2:(SESSION ID = 2,SA ID = 9):Sending Packet [To 193.x.y.207:4500/From 10.0.0.10:4500/VRF i0:f0]
Initiator SPI : C61FA05DBCD4E8BD - Responder SPI : 574998F98E3084B6 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
there are many attempts later we see a line that it is important :
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: split-dns, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: banner, length: 0
--More-- Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: config-url, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: backup-gateway, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: def-domain, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Have config mode data to send
Oct 1 2024 13:33:12.066 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Check for EAP exchange
SKF
finally:
Oct 1 2024 13:33:44.047 UTC: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached
Oct 1 2024 13:33:44.047 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
Oct 1 2024 13:33:44.047 UTC: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
Oct 1 2024 13:33:44.048 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Oct 1 2024 13:33:44.051 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
Oct 1 2024 13:33:44.051 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Oct 1 2024 13:33:44.052 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Oct 1 2024 13:33:46.616 UTC: IKEv2:(SESSION ID = 2,SA ID = 9):Retransmitting packet
note : if one side thinks the other part is a backup gateway and the primary is up it will stop to negotiate with your device.
at least I see this on Cisco Firepower 1140 with release 7.2.5.1 no IKEv2 exchange with backup peer occurs when primary is up if to make a test configure on FW side a wrong primary address so that the primary IKEv2 fails the remote does not accepts negotiation on its secondary outside because its own primary is still alive.
Hope to help
Giuseppe
10-03-2024 11:20 AM
Thanks for your answer and support! much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide