Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ikev2 ios headend no more than 2 virtual-access

Hi all,

I need some help. I have a 3945 (ios 15.2.4M1), serving as an ikev2 headend for anyconnect (3.1) clients. When a client is connected everything is Ok except that it disconnects a previous client attached to virtual-access1, and take his virtual-access (the 2 virtual-access interface are put down before virtual-access1 is up), and so will do the next client for this one.

Here is my config :

crypto ikev2 authorization policy author-policy1
pool ClientADSLSpot
dns XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

netmask 255.255.254.0

backup-gateway 10.172.36.2

!

crypto ikev2 proposal ikev2-profile1

encryption aes-cbc-256

integrity sha1

group 5

!

crypto ikev2 policy ikev2-profile1

match fvrf vrf_soft

proposal ikev2-profile1

!

crypto ikev2 profile ikev2-profile1

match fvrf vrf_soft

match identity remote key-id anyconnect

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint cert_identity_RCT3SSG1

aaa authentication eap UserAnyConnect

aaa authorization group eap list sw-client-groupname author-policy1

virtual-template 4

!

crypto ikev2 dpd 10 10 periodic

no crypto ikev2 http-url cert

crypto ikev2 fragmentation mtu 1300

interface GigabitEthernet1/0.422

description ADSL_SOFT_ENTRANT_C3

encapsulation dot1Q 422

ip vrf forwarding vrf_soft

ip address 10.172.36.6 255.255.255.252

interface Virtual-Template4 type tunnel

ip vrf forwarding vrf_soft

ip unnumbered GigabitEthernet1/0.422

tunnel mode ipsec ipv4

tunnel vrf vrf_soft

tunnel protection ipsec profile ipsec-profile1

crypto ikev2 proposal ikev2-profile1
encryption aes-cbc-256
integrity sha1
group 5
!

crypto ikev2 policy ikev2-profile1
match fvrf vrf_soft
proposal ikev2-profile1
!

crypto ikev2 profile ikev2-profile1
match fvrf vrf_soft
match identity remote key-id anyconnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cert_identity_RCT3SSG1
aaa authentication eap UserAnyConnect
aaa authorization group eap list sw-client-groupname author-policy1
virtual-template 4
!

crypto ikev2 dpd 10 10 periodic
no crypto ikev2 http-url cert
crypto ikev2 fragmentation mtu 1300

!

interface GigabitEthernet1/0.422
description ADSL_SOFT_ENTRANT_C3
encapsulation dot1Q 422
ip vrf forwarding vrf_soft
ip address 10.172.36.6 255.255.255.252

!

interface Virtual-Template4 type tunnel
ip vrf forwarding vrf_soft
ip unnumbered GigabitEthernet1/0.422
tunnel mode ipsec ipv4
tunnel vrf vrf_soft
tunnel protection ipsec profile ipsec-profile1

Here is also an extract from the log:

Nov 18 14:03:24.139 MET: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_S
A request

Nov 18 14:03:24.757 MET: %IKEV2-5-SA_DOWN: SA DOWN

Nov 18 14:03:24.757 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOW
N.  Peer 10.220.94.5:51134 f_vrf:  vrf_soft i_vrf:  vrf_soft   Id: anyconnect
Nov 18 14:03:24.757 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access1, changed state to down
Nov 18 14:03:24.761 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to down
Nov 18 14:03:24.763 MET: %IKEV2-5-SA_UP: SA UP

Nov 18 14:03:24.763 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.
  Peer 10.220.70.78:51125 f_vrf:  vrf_soft i_vrf:  vrf_soft   Id: anyconnect
Nov 18 14:03:24.773 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to up

If someone have an idea about that i will be very happy.

Best regards.

Farid

324
Views
0
Helpful
0
Replies