Hi all,
I need some help. I have a 3945 (ios 15.2.4M1), serving as an ikev2 headend for anyconnect (3.1) clients. When a client is connected everything is Ok except that it disconnects a previous client attached to virtual-access1, and take his virtual-access (the 2 virtual-access interface are put down before virtual-access1 is up), and so will do the next client for this one.
Here is my config :
crypto ikev2 authorization policy author-policy1
pool ClientADSLSpot
dns XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
netmask 255.255.254.0
backup-gateway 10.172.36.2
!
crypto ikev2 proposal ikev2-profile1
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy ikev2-profile1
match fvrf vrf_soft
proposal ikev2-profile1
!
crypto ikev2 profile ikev2-profile1
match fvrf vrf_soft
match identity remote key-id anyconnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cert_identity_RCT3SSG1
aaa authentication eap UserAnyConnect
aaa authorization group eap list sw-client-groupname author-policy1
virtual-template 4
!
crypto ikev2 dpd 10 10 periodic
no crypto ikev2 http-url cert
crypto ikev2 fragmentation mtu 1300
interface GigabitEthernet1/0.422
description ADSL_SOFT_ENTRANT_C3
encapsulation dot1Q 422
ip vrf forwarding vrf_soft
ip address 10.172.36.6 255.255.255.252
interface Virtual-Template4 type tunnel
ip vrf forwarding vrf_soft
ip unnumbered GigabitEthernet1/0.422
tunnel mode ipsec ipv4
tunnel vrf vrf_soft
tunnel protection ipsec profile ipsec-profile1
crypto ikev2 proposal ikev2-profile1
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy ikev2-profile1
match fvrf vrf_soft
proposal ikev2-profile1
!
crypto ikev2 profile ikev2-profile1
match fvrf vrf_soft
match identity remote key-id anyconnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cert_identity_RCT3SSG1
aaa authentication eap UserAnyConnect
aaa authorization group eap list sw-client-groupname author-policy1
virtual-template 4
!
crypto ikev2 dpd 10 10 periodic
no crypto ikev2 http-url cert
crypto ikev2 fragmentation mtu 1300
!
interface GigabitEthernet1/0.422
description ADSL_SOFT_ENTRANT_C3
encapsulation dot1Q 422
ip vrf forwarding vrf_soft
ip address 10.172.36.6 255.255.255.252
!
interface Virtual-Template4 type tunnel
ip vrf forwarding vrf_soft
ip unnumbered GigabitEthernet1/0.422
tunnel mode ipsec ipv4
tunnel vrf vrf_soft
tunnel protection ipsec profile ipsec-profile1
Here is also an extract from the log:
Nov 18 14:03:24.139 MET: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_S
A request
Nov 18 14:03:24.757 MET: %IKEV2-5-SA_DOWN: SA DOWN
Nov 18 14:03:24.757 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOW
N. Peer 10.220.94.5:51134 f_vrf: vrf_soft i_vrf: vrf_soft Id: anyconnect
Nov 18 14:03:24.757 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access1, changed state to down
Nov 18 14:03:24.761 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to down
Nov 18 14:03:24.763 MET: %IKEV2-5-SA_UP: SA UP
Nov 18 14:03:24.763 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.
Peer 10.220.70.78:51125 f_vrf: vrf_soft i_vrf: vrf_soft Id: anyconnect
Nov 18 14:03:24.773 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to up
If someone have an idea about that i will be very happy.
Best regards.
Farid