Enabling IKEv2 extended logging

IKEv2 syslog messages are enabled by default. You can configure enhanced logging.

By default, IKEv2 syslog messages record when IKEv2 sessions and IPsec sessions go up or down.

Extended logging records additional information, including the following items:
  • Reasons packets are discarded
    • Invalid major version
    • Incorrect Security Parameters Index (SPI) value
    • Incorrect Nonce
    • Authentication error
  • Reasons for Phase 1 IKEv2 failures
    • Proposal mismatch
    • Authentication error
    • IKE SA overflow
    • Internal error
  • Reasons for Phase 2 IKEv2 failures
    • IPsec SA overflow
    • Proposal mismatch
    • Flow mismatch
    • Internal error

Perform these steps to enable extended logging.

  1. Enter global configuration mode.
    
    device# configure terminal
    device(config)#
    
  2. To enable logging for IKEv2 packets, enter the following command.
    
    device(config)# logging enable ikev2 ikev2-packet 
    
  3. To enable logging of extended events, enter the following command.
    
    
    device(config)# logging enable ikev2 ikev2-extended 
    

The following example enables extended logging of both IKEv2 packets and events.


device# configure terminal
device(config)# logging enable ikev2 ikev2-packet
device(config)# logging enable ikev2 ikev2-extended

The following example shows an IKEv2 extended event syslog entry for an IKEv2 Phase 1 failure due to a proposal mismatch.


SYSLOG: <13> Jul 20 14:36:39 IKEv2: Phase1 failed  Proposal mismatch Source 8:8:8::2 Destination 8:8:8::2 VRF 0 Tunnel 124