topic VPN logs in Firewall and Security Management

VPN logs

Moudar — Sun, 01 Dec 2024 15:06:10 GMT

When logs from a specific VPN community look like this:

All logs are "key install" what i know is that key installation happens as configured on the advanced settings of the community:

Phase 1: 240 mins

Phase2: 3600 seconds

So why it is happening all the time?

What does that mean, a customer is complaining that they are loosing connection !

How to troubleshoot this problem?

Re: VPN logs

AmirArama — Sun, 01 Dec 2024 16:32:06 GMT

Start with reading the data inside those logs, see if they are good events, or errors / failures.

Re: VPN logs

the_rock — Sun, 01 Dec 2024 17:24:13 GMT

Hey bro,

Can we please see the whole log? Just blur out any sensitive data.

Andy

Re: VPN logs

Moudar — Mon, 02 Dec 2024 07:53:48 GMT

All logs are same:

Re: VPN logs

the_rock — Mon, 02 Dec 2024 12:30:04 GMT

Thank you! So quick mode would be phase 2 issue...can they verify all the settings do indeed match?

Andy

Re: VPN logs

Moudar — Mon, 02 Dec 2024 13:16:51 GMT

So in normal cases, how often should we see "key install" log other than the 240 and 3600 defaults?

Re: VPN logs

the_rock — Mon, 02 Dec 2024 13:18:51 GMT

I know defaults are 1 day for phase 1 and 1 hour for phase 2.

Andy

Re: VPN logs

Moudar — Mon, 02 Dec 2024 13:28:52 GMT

Under normal circumstances, how often should we see "key install" logs apart from the 240 and 3600 defaults? I mean, how frequently do these logs typically appear?

The tunnel is up so phase 2 is OK i think!

Re: VPN logs

Lesley — Mon, 02 Dec 2024 14:01:48 GMT

Is there an outage during or before/ after the key install time stamp? From my point of view it looks like you are receiving key install. This could be an indication that the issue should be check on the other side of the tunnel. To proof this theory a vpn debug in ikeview would help

Re: VPN logs

Moudar — Mon, 02 Dec 2024 14:09:01 GMT

Yes, customer is experience an outage.

I am trying to download the Ikeview but website is down!?

any other link to get Ikeview?

Re: VPN logs

the_rock — Mon, 02 Dec 2024 14:09:57 GMT

I just tried, worked for me.

Andy

Re: VPN logs

Moudar — Mon, 02 Dec 2024 14:16:53 GMT

it works now!

On my gateway i have iked0.elg, iked1.elg and iked2.elg

there is no ike.elg and ikev2.xmll !

which one should be used in ikeview?

Re: VPN logs

the_rock — Mon, 02 Dec 2024 14:20:44 GMT

Either of those should work.

Re: VPN logs

Lesley — Mon, 02 Dec 2024 14:30:10 GMT

Have you enabled vpn debug truncon for debug start? Reproduce issue and turn off vpn debug truncoff

files rotate on their own no need to delete them. Copy them and load them in ikeview.

if you see remote peer ip in ikeview you are on the right track

Re: VPN logs

Moudar — Mon, 02 Dec 2024 14:34:06 GMT

the command: vpn debug truncon, can it focus on specific community or it only debugs all S2S VPN?

Re: VPN logs

the_rock — Mon, 02 Dec 2024 14:44:09 GMT

I dont believe it can be done for specific community.

Re: VPN logs

Moudar — Mon, 02 Dec 2024 14:54:05 GMT

I can now see this kind of log:

and it is coming very often with different SPI

Re: VPN logs

the_rock — Mon, 02 Dec 2024 15:04:13 GMT

I would definitely examine phase 2 settings, because thats what those messages relate to.

Andy

Re: VPN logs

Lesley — Mon, 02 Dec 2024 15:29:06 GMT

Try under vpn comm to change to per gateway or per subnet change between them to see if there is improvement

Re: VPN logs

Moudar — Mon, 02 Dec 2024 15:58:33 GMT

I have now changed it to "per Gateway" and my gateway started to "key install" on the other side gateway, i will keep an eye on it and back tomorrow with some insights. We have many subnets behind every gateway so maybe this is a better choice.