Solved: S2S phase 2 down

RemoteUser · ‎2025-07-10

We have a vpn s2s that goes down with asa. (phase-2)

crypto map outside_map 300 match address outside_300_cryptomap
crypto map outside_map 300 set peer x.x.x.x (our pubblic IP)
crypto map outside_map 300 set ikev2 ipsec-proposal ESP-AES256-SHA256
crypto map outside_map 300 set security-association lifetime seconds 28800
DH Group 14

Our side checkpoint doesn't change...

Error from checkpoint in the log:
Child SA exchange: Sending notification to peer: No proposal chosen MyMethods Phase2: AES-256 + HMAC-SHA2-256, No IPComp, No ESN, Group 14

The guys that mange ASA told me that they doesn't change anything.

RemoteUser · ‎2025-07-22

Hi brother, sorri for the late response i was ooo.
Anway we solved the issue, there was an incompatibility with PFS

View solution in original post

_Val_ · ‎2025-07-14

What does the log say?

the_rock · ‎2025-07-14

Hey bro,

Ask them if they can run this debug on Cisco and send it over.

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Best,
Andy

the_rock · ‎2025-07-14

Was the tunnel ever up btw?

Andy

Best,
Andy

the_rock · ‎2025-07-15

Hey bro,

Any luck with this?

Andy

Best,
Andy

RemoteUser · ‎2025-07-22

Hi brother, sorri for the late response i was ooo.
Anway we solved the issue, there was an incompatibility with PFS

the_rock · ‎2025-07-23

Excellent work bro.

Best,
Andy

Are you a member of CheckMates?

S2S phase 2 down