Re: Ikev2 Phase2 is not getting up

MaheshCheck

Can anyone help me to resolve the issue

IKEv2 Phase2 is not getting up and configuration seems to be fine from both the sides

Version :R81.20

AkosBakos

Hi @MaheshCheck

Everyone of us, were is similiar situations. Please provide more info about the issue.

I suppose this is a s2s VPN connection.

What is GW version and jumbo take?

Until this try the followings:

reset the tunnel on both sides
check the ENC_DOMs on both sides, maybe eg.: somewhere the netmask is wrong

And check this SK: https://support.checkpoint.com/results/sk/sk60318

Akos

----------------
\m/_(>_<)_\m/

MaheshCheck

Yes ,its S2S VPN

Firewall version is R81.20 Jumbo Hotfix Take 84

When we select single host ,the tunnel is getting up however whenever we select network , the tunnel is not coming up

We have checked the configuration from both the sides and all network details are correct

reset the tunnel on both sides-tried but not working

the_rock

We need way more info in order to help properly.

First of all, what is the other side? Do enc settings match? route or domain based? star or mesh? How is tunnel mgmt option configured? ikev1 or ikev2?

Any logs indicating the failure?

Andy

MaheshCheck

Domain based ,Star,IKev2

Cisco is peer

the_rock

If its combo of hosts/subnets. then please try "per gateway"

If that fails, run simple vpn debug.

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

fw ctl debug 0

Get ike* and vpnd* files from $FWDIR/log dir

Message me directly, we can do remote, Im confident I can help you.

Andy

MaheshCheck

There are so manu Ike fiels so which one i have to take

attached screenshot for reference

the_rock

I would review whatever is today's date. Honestly, I feel your best bet is to call TAC, do remote session and Im sure they would be able to figure it out quick. Its not so easy to tell based on these screenshots.

Andy

the_rock

Hey Mahesh,

Im sure you are sleeping as Im writting this, but in case tunnel still does not work when Cisco side checks, they can use below simple commands to do a debug and its very light. This is what guy I used to work with who worked for Cisco TAC gave me once.

Hope it helps (if needed)

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

MaheshCheck

MaheshCheck

the_rock

Hey,

Im in the zoom meeting waiting, so if you are free, please join, Im good till 2.30 pm est.

Andy

the_rock

Hey Mahesh,

Just send me your email in direct message, we can connect offline. Not sure what country you are in, but Im in Canada EST (GMT-5)

Andy

MaheshCheck

I am in india(IST) GMT+5:30

the_rock

Just messaged you offline.

Andy

the_rock

Hey everyoone,

Just to update on this, had zoom remote with @MaheshCheck and below are my notes. I feel good now if Cisco side resets the tunnel, it will work fine, but Mahesh will let us know for sure once they do it.

Andy

NOTES FROM THE CALL:

-zoom with Mahesh
-we enabled tunnel mgmt as per gateway since its combo of hosts/subnets
-installed policy
-first time config, never worked before
-Cisco mentioned phase 2 selectors are not matching
-peer ip x.x.x.x

below guidbedit settings should be set to FALSE to avoid any supernatting:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

peer -> xyz_gateway

we made sure guidbedit settings were set to false, changed last one -> ike_use_largest_possible_subnets

installed policy -> now tunnel shows UP

Mahesh will ask other side to check tomorrow and let us know

Are you a member of CheckMates?

Ikev2 Phase2 is not getting up