IPSec VPN IKE Phase 1 is Down but Tunnel is Active

Printer Friendly Page

Issue

Inside of the WebGUI > Network> IPSec Tunnels, the IKE Gateway Status (Phase 1) light is red, whereas the IPSec Tunnel (Phase 2) light is green.  However, traffic still continues to flow through the tunnel properly.  After some time, the IKE Gateway Status light returns to green.  Is this normal?

2017-11-06_vpn1.jpgVPN Status showing Phase 1 down (Red) but Phase 2 up (Green)

 

Resolution

This is normal behavior.


The purpose of Phase 1 (IKE Gateway Status) is to set up a secure channel for subsequent Phase 2 (IPSEC Tunnel) security associations (SA). Once the Phase 2 security associations have been set up, traffic travels on Phase 2 SA. Hence, it is possible that Phase 1 might be down, but traffic across the tunnel still works (because Phase 2 is up). The IKE light will turn red when Phase 1 times out. After a certain period, when Phase 2 is about to timeout, Phase 1 will re-negotiate the encryption key for subsequent Phase 2 negotiations. After these fresh negotiations, the IKE light will turn back to green and this process continues.

 

This behavior can be seen in the system logs:

2017-11-06_vpn2.jpgSystem logs showing Phase 2 and Phase 1 renegotiating.

Description of above events:

21:44:04:  Phase-1 SA timed out.  At this point the IKE Gateway Status light will become red.  Notice the Phase-1 renegotiations have not started right away.

21:45:38:  At this point, Phase-2 SA is about to timeout.  Hence, Phase-1 SA renegotiations started.  IKE Gateway Status light turns back to green.

21:45:38:  Subsequent Phase-2 renegotiations.

21:45:38:  Previous Phase-2 SA expires and is deleted.

 

See Also

For more information on this situation, with more pics and a different explanation, please see:

DotW: VPN IPSec Tunnel Status is Red

 

owner: akhan

Tags (6)
Comments

Outstanding.... Its a detailed document on VPN ...

Can someone tell me where in the GUI and the command for CLI where one can see mentioned logs?
I need to proof that this was what we encountered recently in order to provide a report to the client.

I actually found the answer online without calling in.  This is great.

 

Thanks for the article

@dberginRelevant system logs are in Monitor/System filter on "vpn" subtype.

 

Here are some handy CLI commands for troubleshooting IPSEC tunnels.

Show VPN activity:
> show vpn flow
> show vpn ike-sa
> show vpn ipsec-sa

Clear/reset/show IKE gateaway:
> clear vpn ike-sa gateway Cobra_IKE_Gateway
> test vpn ike-sa gateway Cobra_IKE_Gateway
> test vpn ipsec-sa tunnel Cobra_Tunnel:Cobra_ProxyID
> show vpn ike-sa

Show all vpn tunnels or single:
> show vpn tunnel all
> show vpn tunnel [name]

Clear VPN tunnels:
> clear vpn flow tunnel-id ?
> clear vpn flow tunnel-id 8
> clear vpn flow tunnel-id 9

Restart IKE SA:
> test vpn ike-sa gateway ConnectNET_VPN-B
> show vpn ike-sa gateway ConnectNET_VPN-B

Restart IPSEC SA:
> test vpn ipsec-sa tunnel ConnectNet_TunB:cnnctnet-B
> show  vpn ipsec-sa tunnel ConnectNet_TunB:cnnctnet-B

Debug commands:
> debug dataplane packet-diag set log feature flow basic

Set Debug Filter:
> debug dataplane packet-diag set filter match source 1.1.6.30 destination 2.2.112.6
> debug dataplane packet-diag set filter match destination 2.2.112.6 source 1.1.6.3
> debug dataplane packet-diag set filter match destination 2.2.112.6 source 1.1.6.30
> debug dataplane packet-diag show setting

View Debug Logs:
> show counter global filter packet-filter yes delta yes

Test Routing:
> test routing fib-lookup
> test routing fib-lookup ip 2.2.112.6 virtual-router vr-1
> test routing fib-lookup ip 2.2.112.6 virtual-router vr-2
> ping source 1.1.6.30 host 2.2.112.6
> traceroute  source 1.1.6.30 host 2.2.112.6

Show sessions for all traffic between peers:
> show session all filter source 1.1.6.30 destination 2.2.112.6
> show session id [2872810]
> show session all filter source 1.1.6.30 destination 2.2.112.6
> show session id 2872809
> clear session id 2872809
> show session all filter source 1.1.6.30 destination 2.2.112.6
> clear session id 2872810
> show session all filter source 1.1.6.30 destination 2.2.112.6

> test vpn ike-sa

Tail the IKE Mgr Log (other logs are available from mp-log context:
> tail follow yes mp-log ikemgr.log