On 2024-09-25, Boyd Stephens <bstephens@netelysis.com> wrote:
> The circumstances driving this inquiry is that our team has an IKEv2 vpn
> connection where the tunnel between two sites is always successfully
> established (at least this is the feedback from all of our ipsecctl -s
> all inquiries) but traffic flow across the enc0 interface occurs very
> intermittently and some times not at all. The remote end of the tunnel
> is operating across a Cisco ASA 5550 appliance.
..
> Again, at times traffic will flow across enc0 flawlessly but in those
> circumstances after the ikelifetime(IKE SA expiration) expires the ipsec
> link will be reestablish but traffic will cease to flow across enc0.
That sounds like initial SAs are negotiated OK but there's an issue with
child SAs. I've had that happen quite a lot with Windows ikev2 where it
was unhappy about dh groups.
iked.conf and (if available) the cisco config might give clues, as might
logs (warnings logs on the cisco side probably most helpful, I find iked
logs are usualy either not enough or excruciatingly noisy depending on
verbosity).
--
Please keep replies on the mailing list.
No comments:
Post a Comment