05-10-2019 09:37 AM
Seems Phase 2 is down and system log shows below logs again and again
and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 198.160.x.x[500]-173.182.x.x[500] message id:0xF55F380F. Due to negotiation timeout.' )
i do not have to device 173.182.x.x
When i run below command i s
show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
14 173.182.x.x CoC_13 Resp Main PSK/DH14/A256/SHA1 May.10 10:29:52 May.10 11:29:52 v1 13 2 0
Show IKEv1 IKE SA: Total 6 gateways found. 5 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
CoC_13 105 CoC-YYC_13:YYC_13 14 Init / / / 00000000 00000000 7A838C53 5 4
Show IKEv1 phase2 SA: Total 6 gateways found. 9 ike sa found.
Show IKEv2 SA: Total 2 gateways found. 2 ike sa found.
why my PA is responder for Phase 1 and Initator for Phase 2?
05-12-2019 04:43 AM
@MP18 wrote:why my PA is responder for Phase 1 and Initator for Phase 2?
Why not? 😛
For example if you have only 1 phase 2 tunnel and a timeout of 8 hours in phase 1 and 1 hour for phase 2. At 2 am the other side establishes a connection so phase 1 and 2 will be setup. At that time your PA is responder for phase 1 and 2. After exchanging some packets there is no longer a connection so phase 2 will time out. For example at 4 am your side wants to connect to the remote network. As phase 2 already timed out a new one needs to be created but phase 1 is still up. --> your PA is responder in phase 1 and initiator of phase 2
05-12-2019 11:54 AM
What I wrot is also possible in this case as the keys are renewed prior to expiration. So depending on the actual traffic in the tunnel you might end up with different roles for phase 1 and 2.
05-12-2019 04:43 AM
@MP18 wrote:why my PA is responder for Phase 1 and Initator for Phase 2?
Why not? 😛
For example if you have only 1 phase 2 tunnel and a timeout of 8 hours in phase 1 and 1 hour for phase 2. At 2 am the other side establishes a connection so phase 1 and 2 will be setup. At that time your PA is responder for phase 1 and 2. After exchanging some packets there is no longer a connection so phase 2 will time out. For example at 4 am your side wants to connect to the remote network. As phase 2 already timed out a new one needs to be created but phase 1 is still up. --> your PA is responder in phase 1 and initiator of phase 2
05-12-2019 09:09 AM
We have 1 Proxy ID.
Also Phase 1 and 2 Timers are set to 3600 sec.
Both Timers are same
05-12-2019 11:54 AM
What I wrot is also possible in this case as the keys are renewed prior to expiration. So depending on the actual traffic in the tunnel you might end up with different roles for phase 1 and 2.
05-13-2019 09:38 AM
Many Thanks Again
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
