sa timing: remaining key lifetime (k/sec): (4215482/3412)
IV size: 8 bytes
replay detection support: Y
Known caveats & issues
Please remember to have following line configured on your IOS headend: no crypto ikev2 http-url cert.
The error produced by IOS and Anyconnect when this is not configured is quite misleading.
In certain scenarios IOS might not be able to pick correct trustpoint to authenticate. We are aware of the issue, it should be fixed as of 15.2(3)T1 release. A tentative date for 15.2(3)T1 is 29th of June 2012.
If Anyconnect is reporting message similar to this:
The client certificate's cryptographic service provider(CSP) does not support the sha512 algorithm
You need to make sure that the integrity/PRF setting in your IKEv2 proposals match what your certificates can handle. If you're using IOS CA like me I suggest using sha-1 and your PRF/Integrity setting.
Here's a few useful tips on how to troubleshoot, or if you're desparate, what to provide to TAC to smooth things out.
Useful IKEv2 debugs (I'm assuming 15.2.2T or newer IOS version)
debug crypto ikev2
debug crypto ikev2 internal
debug crypto ikev2 packet
Useful PKI debugs
debug crypto pki m
debug crypto pki t
debug crypto pki v
One that will be helpful the most is:
show crypto pki cert verb
If you would like TAC to look into this - provide a DART package. Please remember to CLEAR the event viewer logs before generating it.
This will help greatly.
Also note the time at which you've tried and failed connecting.
Further Reading & Documentation
You always should start with configuration guide. This particular