Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
0
Replies

ikev2 ios headend no more than 2 virtual-access

bfarid
Level 1
Level 1

‎11-18-2013 10:19 AM

Hi all,

I need some help. I have a 3945 (ios 15.2.4M1), serving as an ikev2 headend for anyconnect (3.1) clients. When a client is connected everything is Ok except that it disconnects a previous client attached to virtual-access1, and take his virtual-access (the 2 virtual-access interface are put down before virtual-access1 is up), and so will do the next client for this one.

Here is my config :

crypto ikev2 authorization policy author-policy1
pool ClientADSLSpot
dns XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

netmask 255.255.254.0

backup-gateway 10.172.36.2

!

crypto ikev2 proposal ikev2-profile1

encryption aes-cbc-256

integrity sha1

group 5

!

crypto ikev2 policy ikev2-profile1

match fvrf vrf_soft

proposal ikev2-profile1

!

crypto ikev2 profile ikev2-profile1

match fvrf vrf_soft

match identity remote key-id anyconnect

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint cert_identity_RCT3SSG1

aaa authentication eap UserAnyConnect

aaa authorization group eap list sw-client-groupname author-policy1

virtual-template 4

!

crypto ikev2 dpd 10 10 periodic

no crypto ikev2 http-url cert

crypto ikev2 fragmentation mtu 1300

interface GigabitEthernet1/0.422

description ADSL_SOFT_ENTRANT_C3

encapsulation dot1Q 422

ip vrf forwarding vrf_soft

ip address 10.172.36.6 255.255.255.252

interface Virtual-Template4 type tunnel

ip vrf forwarding vrf_soft

ip unnumbered GigabitEthernet1/0.422

tunnel mode ipsec ipv4

tunnel vrf vrf_soft

tunnel protection ipsec profile ipsec-profile1

crypto ikev2 proposal ikev2-profile1
encryption aes-cbc-256
integrity sha1
group 5
!

crypto ikev2 policy ikev2-profile1
match fvrf vrf_soft
proposal ikev2-profile1
!

crypto ikev2 profile ikev2-profile1
match fvrf vrf_soft
match identity remote key-id anyconnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cert_identity_RCT3SSG1
aaa authentication eap UserAnyConnect
aaa authorization group eap list sw-client-groupname author-policy1
virtual-template 4
!

crypto ikev2 dpd 10 10 periodic
no crypto ikev2 http-url cert
crypto ikev2 fragmentation mtu 1300

!

interface GigabitEthernet1/0.422
description ADSL_SOFT_ENTRANT_C3
encapsulation dot1Q 422
ip vrf forwarding vrf_soft
ip address 10.172.36.6 255.255.255.252

!

interface Virtual-Template4 type tunnel
ip vrf forwarding vrf_soft
ip unnumbered GigabitEthernet1/0.422
tunnel mode ipsec ipv4
tunnel vrf vrf_soft
tunnel protection ipsec profile ipsec-profile1

Here is also an extract from the log:

Nov 18 14:03:24.139 MET: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_S
A request

Nov 18 14:03:24.757 MET: %IKEV2-5-SA_DOWN: SA DOWN

Nov 18 14:03:24.757 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOW
N.  Peer 10.220.94.5:51134 f_vrf:  vrf_soft i_vrf:  vrf_soft   Id: anyconnect
Nov 18 14:03:24.757 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access1, changed state to down
Nov 18 14:03:24.761 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to down
Nov 18 14:03:24.763 MET: %IKEV2-5-SA_UP: SA UP

Nov 18 14:03:24.763 MET: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.
  Peer 10.220.70.78:51125 f_vrf:  vrf_soft i_vrf:  vrf_soft   Id: anyconnect
Nov 18 14:03:24.773 MET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual
-Access2, changed state to up

If someone have an idea about that i will be very happy.

Best regards.

Farid

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents