- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-16-2014 08:23 AM
Hello Infotech,
As per the default IKE configuration, IKE phase-1 lifetime is 8 Hrs. So, please make sure that, traffic was passing through the tunnel, else it would be down after the mentioned ( 8 Hrs) lifetime.
Thanks
07-16-2014 08:28 AM
So how am I suppose to check to see if traffic is passing through the tunnel? Also I can't bring it back up no matter what I do
07-16-2014 08:28 AM
Hello Infotech,
The similar parameter is also available for the IPsec-crypto profile. The Default value for phase-2 is 1 Hr. As you have mentioned earlier, the tunnel was down after 8 Hrs. Could you please confirm, whether both Phase-1 and Phase-2 was down or only Phase-2 became down..?
Thanks
07-16-2014 08:31 AM
> show vpn ike-sa gateway
> show vpn flow
>show vpn flow tunnel-id x << where x=id number from above display
Try to bring it UP through TEST VPN command as mentioned below:
> test vpn ike-sa gateway XXXXXX
> test vpn ipsec-sa tunnel XXXXXX
Thanks
07-16-2014 08:43 AM
its up right now so I will have to wait till its down to verify this though I have tried to bring it up with the test command and it fails to come up. But I believe phase 1 comes up but phase 2 fails and I have never heard of phase 3
07-16-2014 08:51 AM
Sorry, it was a typo, it should be Phase-2.
Thanks
07-16-2014 09:37 AM
I will try to bring it up with the test command but in the past it has failed to bring it up
07-16-2014 09:43 AM
Hello Infotech,
After applying the test command from CLI, please verify the System logs from GUI ( Monitor > Logs > System). It should give you a reason behind the failure. Else, we have to verify ikemgr.-log from cli ( > less mp-log ike-mgr.log [Shift+G])
Hope this helps.
Thanks
07-16-2014 11:16 AM
Gere us the result of the show vpn ike-sa gateway
phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
--------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
5 66.94.196.108 Parkway_Gateway_ITV3 Init Main PSK/DH2/3DES/SHA1 Jul.16 13:12:10*Jul.16 13:12:31 v1 14 3 0
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
phase-2 SAs
GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in) SPI(out) MsgID ST Xt
--------------- ------------ ------------ ---- --------- ------- -------- ----- -- --
5 66.94.196.108 Parkway_Gateway_ITV3 Init / / / / 00000000 00000000 3EDA505E 5 5
Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.
Result of show vpn flow tunnel-id
tunnel Parkway_IPSec_Tunnel5:DR_Network
id: 139
type: IPSec
gateway id: 5
local ip: 66.94.196.107
peer ip: 66.94.196.108
inner interface: tunnel.5
outer interface: ethernet1/3
state: inactive
session: 0
tunnel mtu: 1428
lifetime remain: N/A
monitor: off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 2716
local spi: 9C3025F2
remote spi: 07B3DE31
key type: auto key
protocol: ESP
auth algorithm: NOT ESTABLISHED
enc algorithm: NOT ESTABLISHED
proxy-id local ip: 10.135.100.0/24
proxy-id remote ip: 10.135.11.0/25
proxy-id protocol: 0
proxy-id local port: 0
proxy-id remote port: 0
anti replay check: yes
copy tos: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 577416
receive sequence: 543151
encap packets: 17134359
decap packets: 15948658
encap bytes: 2685487256
decap bytes: 10989573876
key acquire requests: 129710
I ran the test command and it did not bring the tunnel back up
07-16-2014 11:18 AM
The command we have to verify ike-mgr.log from cli ( > less mp-log ike-mgr.com [Shift+G]) did not work got invalid syntax
07-16-2014 12:06 PM
Hello Infotech,
Open a new cli session and run > tail follow yes mp-log ikemgr.log. At the same time, try the TEST VPN command from an another window (forcefully initiate the VPN tunnel).
Thanks
07-16-2014 12:37 PM
These are the results
2014-07-16 14:36:04 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIAT OR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xDCA8EE4B <====
2014-07-16 14:36:04 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=3fd430494385e0f5 1df66859af85187f (size=16).
2014-07-16 14:36:05 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====
2014-07-16 14:36:13 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e8b02a666f3d3b1:cedef558e2c21a7e <====
2014-07-16 14:36:14 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:2931850b7ade2be4:b5eeafc08a33ee7b <====
2014-07-16 14:36:15 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====
07-17-2014 02:11 AM
What type of firewall is the peer device?
The message above is indicating that the IPSec settings are not matching on the firewalls. What is the IPSec profile you are using on your local systems and what is the configuration of the remote host?
07-17-2014 05:56 AM
Peer is a cisco 5505 and I have checked rechecked and changed the settings to make it match and it always does the exact same thing no matter what the seeting are.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!