site-to-site VPN / no "IKE Info"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

site-to-site VPN / no "IKE Info"

L3 Networker

Hey,

 

We have a couple of VPN's which have just been transitioned to the PA firewall. Under network > ipsec tunnels > the VPN status shows as up, but the "IKE info" shows as down, with no info. If I run: "show vpn ike-sa detail gateway" there is nothing listed.

 

If I run "test vpn ipsec-sa tunnel" it brings it up and shows 

 

IKE Phase1 SA:
Cookie: FFAFE29D66F1B89F:ECC8B630093A918E Init
State: Dying
Mode: Main
Authentication: PSK
Proposal: 3DES/SHA1/DH2
NAT: PEER
Message ID: 0, phase 2: 0
Phase 2 SA created : 1
Created: Jan.18 12:47:21, 1 minute 58 seconds ago
Expires: Jan.19 12:47:21

 

If I then run "clear vpn ipsec-sa tunnel" it reverts to the down state, and remains there until I re-run "test..."

 

My concern is that is shows state "Dying" and that at some point soon it will "die" and won't come back without my intervention.

 

Has anyone seen this, or can they please explain what this means and how to resolve?

 

Thanks,

Shannon

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@SARowe_NZ,

This is normal behavior depending on your tunnel setup. Here is a document that discusses what exactly is going on, but essentially your Phase 1 is down because it doesn't need to be up once Phase2 is operational. 

 

HERE

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@SARowe_NZ,

This is normal behavior depending on your tunnel setup. Here is a document that discusses what exactly is going on, but essentially your Phase 1 is down because it doesn't need to be up once Phase2 is operational. 

 

HERE

Perfect thank you! Suprised those articles did not come up in my searches.

L1 Bithead

you will also reset the phases if you face issue.

  • 1 accepted solution
  • 5776 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!