Courseiva
VPNCCNA 200-301

IPsec IKE Phase 2 (IPsec SA) Not Completing

Presenting Symptom

IPsec tunnel is up (IKE Phase 1 complete) but no traffic is encrypted; show crypto ipsec sa shows no active IPsec SAs.

Network Context

Two Cisco routers (R1 and R2) connected over the Internet with a site-to-site VPN. R1 has IOS 15.9, R2 has IOS 15.7. Both have IKE Phase 1 configured and working, but Phase 2 fails to establish. The network is a small branch office (R1) connecting to a main office (R2).

Diagnostic Steps

1

Check IPsec SA status

show crypto ipsec sa
interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 203.0.113.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 198.51.100.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.0.113.1, remote crypto endpt.: 198.51.100.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

If no IPsec SA is present (no inbound/outbound SPI), Phase 2 has not completed. Check for mismatched transform sets, ACLs, or PFS settings.

2

Check IKE Phase 1 status

show crypto isakmp sa
dst             src             state          conn-id slot status
198.51.100.1    203.0.113.1     QM_IDLE           1001    ACTIVE

If state is QM_IDLE, Phase 1 is complete. If not, Phase 1 is the issue. Here it shows Phase 1 is up, so focus on Phase 2.

3

Check crypto map and ACL configuration

show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
    Peer = 198.51.100.1
    Extended IP access list VPN_ACL
        access-list VPN_ACL permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    Current peer: 198.51.100.1
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={TSET,}

Verify the ACL matches the local and remote subnets correctly. If ACL is missing or incorrect, Phase 2 will fail. Also check that transform set is present and matches peer.

4

Check transform set configuration

show crypto ipsec transform-set
Transform set TSET: { esp-aes 256 esp-sha-hmac }
   will negotiate = { Tunnel, },

Ensure the transform set is defined and matches between peers. Mismatched encryption or authentication algorithms cause Phase 2 failure.

5

Enable debug for IKE Phase 2

debug crypto ipsec
IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 203.0.113.1:500, remote= 198.51.100.1:500,
    local_proxy= 192.168.1.0/255.255.255.0/0/0,
    remote_proxy= 192.168.2.0/255.255.255.0/0/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
IPSEC(validate_proposal_request): proposal part #1,
  (transform set) = {esp-aes 256 esp-sha-hmac}
  (protocol) = 0x10
  (lifetime) = 0
  (pfs_group) = 0
IPSEC(validate_proposal_request): proposal part #1,
  (transform set) = {esp-aes 256 esp-sha-hmac}
  (protocol) = 0x10
  (lifetime) = 0
  (pfs_group) = 0
IPSEC(validate_proposal_request): proposal part #1,
  (transform set) = {esp-aes 256 esp-sha-hmac}
  (protocol) = 0x10
  (lifetime) = 0
  (pfs_group) = 0
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 198.51.100.1 failed its sanity check or is malformed

Look for error messages like 'IKMP_BAD_MESSAGE' or 'no matching proposal'. This indicates a mismatch in transform sets or ACLs. The debug shows the local proposal; compare with peer's expected proposal.

Root Cause

The IPsec transform set on R1 uses AES 256 and SHA-HMAC, but R2 is configured with AES 128 and MD5. The mismatch causes IKE Phase 2 to fail because the peers cannot agree on the security parameters for the IPsec SA.

Resolution

On R1, change the transform set to match R2: R1(config)# crypto ipsec transform-set TSET esp-aes 128 esp-md5-hmac R1(config-crypto-tran)# mode tunnel R1(config-crypto-tran)# exit R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set transform-set TSET R1(config-crypto-map)# end R1# clear crypto sa R1# clear crypto isakmp Explanation: The transform set is updated to match the peer. 'clear crypto sa' and 'clear crypto isakmp' reset the security associations so that Phase 2 can renegotiate with the correct parameters.

Verification

R1# show crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: CMAP, local addr 203.0.113.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 198.51.100.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.1, remote crypto endpt.: 198.51.100.1 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x12345678(305419896) PFS (Y/N): N, DH group: none Expected: IPsec SA is present with non-zero SPI and packet counters incrementing.

Prevention

1. Always document and standardize transform sets across all VPN peers. 2. Use a template or automation to ensure consistency in crypto configurations. 3. Test VPN connectivity in a lab before deploying to production.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears as a troubleshooting question where you must identify why IPsec Phase 2 fails despite Phase 1 being up. The exam tests your ability to compare transform sets and ACLs between peers. A common multiple-choice question shows 'show crypto ipsec sa' output with no SAs and asks for the cause.

Exam Tips

1.

Memorize the output of 'show crypto ipsec sa' — look for non-zero SPI and packet counters.

2.

Remember that IKE Phase 2 uses transform sets; mismatched encryption or authentication algorithms cause failure.

3.

Know that 'clear crypto sa' and 'clear crypto isakmp' are used to reset SAs after fixing configuration.

Commands Used in This Scenario

debug crypto ipsec

Use this command to enable real-time debugging of IPsec security association (SA) negotiations and packet processing, typically for troubleshooting VPN connectivity issues.

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions