topic Re: VPN tunnel in Phase-1 in Firewall and Security Management

VPN tunnel in Phase-1

ikafka — Fri, 17 Nov 2023 18:20:05 GMT

Hi,

After upgrading the central firewall to R81.10, the tunnel stays in phase-1. There is status information below.
In some places, it is written that I need to create traffic. Does anyone have any information?

Central FW: version R81.10 Hotfix: 110. Cluster

Branch FW: 1530 appliance, version: R80.20.30

VPN tunnel monitor log:

Tunnel centralfw<=> sideA State Up - Phase1 Community sideAVPNSite Type Regular From sideA To centralfw State Up - Phase1 Peer IP X.X.X.14 Next Hop IP N/A Interface N/A Source IP N/A Link Priority Primary Prob State N/A Peer Type Regular UDP Encapsulation None MEP participants

Thanks for your replying.

Re: VPN tunnel in Phase-1

the_rock — Fri, 17 Nov 2023 19:06:37 GMT

Is this configured as permanent tunnel?

Andy

Re: VPN tunnel in Phase-1

ikafka — Fri, 17 Nov 2023 19:36:06 GMT

Hi,

My problem has solved. I checked all VPN comunity configuration. I see sideA WAN IP address is wrong. when change it true IP address tunnel is connected and status up.

Re: VPN tunnel in Phase-1

the_rock — Fri, 17 Nov 2023 19:37:19 GMT

Good job!

Re: VPN tunnel in Phase-1

just13pro — Sat, 18 Nov 2023 01:39:20 GMT

Kind of strange, after upgrade it is not working.

But after your checking, found out to be wrong configuration?

Re: VPN tunnel in Phase-1

ikafka — Sun, 19 Nov 2023 09:49:17 GMT

Hi @just13pro

Yeah, that is strange. I wrote that it was solved briefly due to workload. I will now give a detailed explanation.

2 months ago, we made an ip change in the region where we used the 1530 series device. After this change, 1530 was reconnected to the central management according to the new WAN IP address (with SIC.)

After so much time passed, we realized that there was no ping from the center to the sideA. that not only ping but also IP phone etc. nothing works.

When I checked, I saw that it was so, but ping is coming from sideA. When I looked at the logs, I saw these logs.

@;65686661;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.99.5.20:2048 -> 172.16.0.10:16972 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

When I monitored the tunnel, I saw the above output (tunnel monitoring output). I realized that the tunnel was one-way UP. Then it occurred to me to check the community settings. (I think this was the first thing I should have done. sometimes this happens unfortunately. ) There was no problem with the community settings. When I looked at the 1530 firewall object, I realized that the WAN IP address was different. After changing the WAN IP address to the current one, the tunnel was up.

I don't understand how the tunnel worked for so long and ping, IP phone continued to work. As a result, the process worked like this. as a result, it is a fact that there is a STRANGE situation. or if there is an explanation, if anybody writes and enlightens this situation, I will learn something.

Thanks..