Why PA is Responder for Phase 1 and Initiator for Phase 2

Reply
Cyber Elite

Why PA is Responder for Phase 1 and Initiator for Phase 2

 

Seems Phase 2 is down and system log shows below logs again and again

 

and ( description contains 'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: 198.160.x.x[500]-173.182.x.x[500] message id:0xF55F380F. Due to negotiation timeout.' )

 

i do not have to device 173.182.x.x

 

 

When i run below command  i s

 

show vpn ike-sa

IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2

14 173.182.x.x CoC_13 Resp Main PSK/DH14/A256/SHA1 May.10 10:29:52 May.10 11:29:52 v1 13 2 0


Show IKEv1 IKE SA: Total 6 gateways found. 5 ike sa found.


IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --

CoC_13 105 CoC-YYC_13:YYC_13 14 Init / / / 00000000 00000000 7A838C53 5 4


Show IKEv1 phase2 SA: Total 6 gateways found. 9 ike sa found.

 

Show IKEv2 SA: Total 2 gateways found. 2 ike sa found.

 

why my PA is responder for Phase 1 and Initator for Phase 2?

MP

Accepted Solutions
Cyber Elite


@MP18 wrote:

why my PA is responder for Phase 1 and Initator for Phase 2?


Why not? :P

 

  • How many proxy IDs do you have configured on that tunnel?
  • What timeouts do you have configured for phase 1 and 2?

 

For example if you have only 1 phase 2 tunnel and a timeout of 8 hours in phase 1 and 1 hour for phase 2. At 2 am the other side establishes a connection so phase 1 and 2 will be setup. At that time your PA is responder for phase 1 and 2. After exchanging some packets there is no longer a connection so phase 2 will time out. For example at 4 am your side wants to connect to the remote network. As phase 2 already timed out a new one needs to be created but phase 1 is still up. --> your PA is responder in phase 1 and initiator of phase 2

View solution in original post

Cyber Elite

What I wrot is also possible in this case as the keys are renewed prior to expiration. So depending on the actual traffic in the tunnel you might end up with different roles for phase 1 and 2.

View solution in original post


All Replies
Cyber Elite


@MP18 wrote:

why my PA is responder for Phase 1 and Initator for Phase 2?


Why not? :P

 

  • How many proxy IDs do you have configured on that tunnel?
  • What timeouts do you have configured for phase 1 and 2?

 

For example if you have only 1 phase 2 tunnel and a timeout of 8 hours in phase 1 and 1 hour for phase 2. At 2 am the other side establishes a connection so phase 1 and 2 will be setup. At that time your PA is responder for phase 1 and 2. After exchanging some packets there is no longer a connection so phase 2 will time out. For example at 4 am your side wants to connect to the remote network. As phase 2 already timed out a new one needs to be created but phase 1 is still up. --> your PA is responder in phase 1 and initiator of phase 2

View solution in original post

Cyber Elite

We have 1 Proxy ID.

Also Phase 1 and 2 Timers are set to 3600 sec.

Both Timers are same

 

 

 

 

MP
Cyber Elite

What I wrot is also possible in this case as the keys are renewed prior to expiration. So depending on the actual traffic in the tunnel you might end up with different roles for phase 1 and 2.

View solution in original post

Cyber Elite

Many Thanks Again

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!