Tunnel times

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tunnel times

L4 Transporter

I have a tunnel that is up 8 hours and down 16 hours almost consistently any one have any ideas what would cause that?

22 REPLIES 22

L7 Applicator

Hello Infotech,

As per the default IKE configuration, IKE phase-1 lifetime is 8 Hrs. So, please make sure that, traffic was passing through the tunnel, else it would be down after the mentioned ( 8 Hrs) lifetime.

IKE-profile.JPG

Thanks

So how am I suppose to check to see if traffic is passing through the tunnel? Also I can't bring it back up no matter what I do

L7 Applicator

Hello Infotech,

The similar parameter is also available for the IPsec-crypto profile. The Default value for phase-2 is 1 Hr. As you have mentioned earlier, the tunnel was down after 8 Hrs. Could you please confirm, whether both Phase-1 and Phase-2 was down or only Phase-2 became down..?

Thanks

> show vpn ike-sa gateway

> show vpn flow

>show vpn flow tunnel-id x  << where x=id number from above display

Try to bring it UP through TEST VPN command as mentioned below:

> test vpn ike-sa gateway XXXXXX

> test vpn ipsec-sa tunnel XXXXXX

Thanks

L4 Transporter

its up right now so I will have to wait till its down to verify this though I have tried to bring it up with the test command and it fails to come up. But I believe phase 1 comes up but phase 2 fails and I have never heard of phase 3

Sorry, it was a typo, it should be Phase-2. Smiley Happy

Thanks

I will try to bring it up with the test command but in the past it has failed to bring it up

Hello Infotech,

After applying the test command from CLI, please verify the System logs from GUI ( Monitor > Logs > System). It should give you a reason behind the failure. Else, we have to verify ikemgr.-log from cli ( > less mp-log ike-mgr.log [Shift+G])

Hope this helps.

Thanks

Gere us the result of the show vpn ike-sa gateway

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
              5 66.94.196.108          Parkway_Gateway_ITV3   Init Main PSK/DH2/3DES/SHA1 Jul.16 13:12:10*Jul.16 13:12:31 v1 14  3      0

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               -------  -------- -----    -- --
              5 66.94.196.108          Parkway_Gateway_ITV3   Init     /    /   /    /     00000000 00000000 3EDA505E  5  5

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

Result of show vpn flow tunnel-id

tunnel  Parkway_IPSec_Tunnel5:DR_Network

        id:                     139

        type:                   IPSec

        gateway id:             5

        local ip:               66.94.196.107

        peer ip:                66.94.196.108

        inner interface:        tunnel.5

        outer interface:        ethernet1/3

        state:                  inactive

        session:                0

        tunnel mtu:             1428

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       2716

        local spi:              9C3025F2

        remote spi:             07B3DE31

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:      10.135.100.0/24

        proxy-id remote ip:     10.135.11.0/25

        proxy-id protocol:      0

        proxy-id local port:    0

        proxy-id remote port:   0

        anti replay check:      yes

        copy tos:               no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:         0

        packets received

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:       577416

        receive sequence:       543151

        encap packets:          17134359

        decap packets:          15948658

        encap bytes:            2685487256

        decap bytes:            10989573876

        key acquire requests:   129710

I ran the test command and it did not bring the tunnel back up

The command we have to verify ike-mgr.log from cli ( > less mp-log ike-mgr.com [Shift+G]) did not work got invalid syntax

Hello Infotech,

Open a new cli session and run > tail follow yes mp-log ikemgr.log. At the same time, try the TEST VPN command from an another window (forcefully initiate the VPN tunnel).

Thanks

These are the results

2014-07-16 14:36:04 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIAT                                                                             OR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xDCA8EE4B                                                                              <====

2014-07-16 14:36:04 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN,                                                                              doi=1 proto_id=3 spi=3fd430494385e0f5 1df66859af85187f (size=16).

2014-07-16 14:36:05 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====

2014-07-16 14:36:13 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e8b02a666f3d3b1:cedef558e2c21a7e <====

2014-07-16 14:36:14 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:2931850b7ade2be4:b5eeafc08a33ee7b <====

2014-07-16 14:36:15 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====

What type of firewall is the peer device?

The message above is indicating that the IPSec settings are not matching on the firewalls. What is the IPSec profile you are using on your local systems and what is the configuration of the remote host?

Peer is a cisco 5505 and I have checked rechecked and changed the settings to make it match and it always does the exact same thing no matter what the seeting are.

  • 5847 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!