topic site-to-site VPN / no "IKE Info" in General Topics

site-to-site VPN / no "IKE Info"

SARowe_NZ — Wed, 17 Jan 2018 23:56:14 GMT

Hey,

We have a couple of VPN's which have just been transitioned to the PA firewall. Under network > ipsec tunnels > the VPN status shows as up, but the "IKE info" shows as down, with no info. If I run: "show vpn ike-sa detail gateway" there is nothing listed.

If I run "test vpn ipsec-sa tunnel" it brings it up and shows

IKE Phase1 SA:
Cookie: FFAFE29D66F1B89F:ECC8B630093A918E Init
State: Dying
Mode: Main
Authentication: PSK
Proposal: 3DES/SHA1/DH2
NAT: PEER
Message ID: 0, phase 2: 0
Phase 2 SA created : 1
Created: Jan.18 12:47:21, 1 minute 58 seconds ago
Expires: Jan.19 12:47:21

If I then run "clear vpn ipsec-sa tunnel" it reverts to the down state, and remains there until I re-run "test..."

My concern is that is shows state "Dying" and that at some point soon it will "die" and won't come back without my intervention.

Has anyone seen this, or can they please explain what this means and how to resolve?

Thanks,

Shannon

Re: site-to-site VPN / no "IKE Info"

BPry — Thu, 18 Jan 2018 20:58:26 GMT

@SARowe_NZ,

This is normal behavior depending on your tunnel setup. Here is a document that discusses what exactly is going on, but essentially your Phase 1 is down because it doesn't need to be up once Phase2 is operational.

HERE

Re: site-to-site VPN / no "IKE Info"

SARowe_NZ — Thu, 18 Jan 2018 21:03:10 GMT

Perfect thank you! Suprised those articles did not come up in my searches.

Re: site-to-site VPN / no "IKE Info"

Fahadvu — Mon, 22 Jan 2018 11:38:42 GMT

you will also reset the phases if you face issue.