Tunnel times

Reply
L4 Transporter

Tunnel times

I have a tunnel that is up 8 hours and down 16 hours almost consistently any one have any ideas what would cause that?

L7 Applicator

Re: Tunnel times

Hello Infotech,

As per the default IKE configuration, IKE phase-1 lifetime is 8 Hrs. So, please make sure that, traffic was passing through the tunnel, else it would be down after the mentioned ( 8 Hrs) lifetime.

IKE-profile.JPG

Thanks

L4 Transporter

Re: Tunnel times

So how am I suppose to check to see if traffic is passing through the tunnel? Also I can't bring it back up no matter what I do

L7 Applicator

Re: Tunnel times

Hello Infotech,

The similar parameter is also available for the IPsec-crypto profile. The Default value for phase-2 is 1 Hr. As you have mentioned earlier, the tunnel was down after 8 Hrs. Could you please confirm, whether both Phase-1 and Phase-2 was down or only Phase-2 became down..?

Thanks

L7 Applicator

Re: Tunnel times

> show vpn ike-sa gateway

> show vpn flow

>show vpn flow tunnel-id x  << where x=id number from above display

Try to bring it UP through TEST VPN command as mentioned below:

> test vpn ike-sa gateway XXXXXX

> test vpn ipsec-sa tunnel XXXXXX

Thanks

L4 Transporter

Re: Tunnel times

its up right now so I will have to wait till its down to verify this though I have tried to bring it up with the test command and it fails to come up. But I believe phase 1 comes up but phase 2 fails and I have never heard of phase 3

L7 Applicator

Re: Tunnel times

Sorry, it was a typo, it should be Phase-2. :smileyhappy:

Thanks

L4 Transporter

Re: Tunnel times

I will try to bring it up with the test command but in the past it has failed to bring it up

L7 Applicator

Re: Tunnel times

Hello Infotech,

After applying the test command from CLI, please verify the System logs from GUI ( Monitor > Logs > System). It should give you a reason behind the failure. Else, we have to verify ikemgr.-log from cli ( > less mp-log ike-mgr.log [Shift+G])

Hope this helps.

Thanks

L4 Transporter

Re: Tunnel times

Gere us the result of the show vpn ike-sa gateway

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
              5 66.94.196.108          Parkway_Gateway_ITV3   Init Main PSK/DH2/3DES/SHA1 Jul.16 13:12:10*Jul.16 13:12:31 v1 14  3      0

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               -------  -------- -----    -- --
              5 66.94.196.108          Parkway_Gateway_ITV3   Init     /    /   /    /     00000000 00000000 3EDA505E  5  5

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

Result of show vpn flow tunnel-id

tunnel  Parkway_IPSec_Tunnel5:DR_Network

        id:                     139

        type:                   IPSec

        gateway id:             5

        local ip:               66.94.196.107

        peer ip:                66.94.196.108

        inner interface:        tunnel.5

        outer interface:        ethernet1/3

        state:                  inactive

        session:                0

        tunnel mtu:             1428

        lifetime remain:        N/A

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       2716

        local spi:              9C3025F2

        remote spi:             07B3DE31

        key type:               auto key

        protocol:               ESP

        auth algorithm:         NOT ESTABLISHED

        enc  algorithm:         NOT ESTABLISHED

        proxy-id local ip:      10.135.100.0/24

        proxy-id remote ip:     10.135.11.0/25

        proxy-id protocol:      0

        proxy-id local port:    0

        proxy-id remote port:   0

        anti replay check:      yes

        copy tos:               no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:         0

        packets received

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:       577416

        receive sequence:       543151

        encap packets:          17134359

        decap packets:          15948658

        encap bytes:            2685487256

        decap bytes:            10989573876

        key acquire requests:   129710

I ran the test command and it did not bring the tunnel back up

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!