cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Sangeeth_N
Nickel

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Hi

 

I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. 

The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Any idea regarding why this issue  occurred.

 

 

0 Kudos
1 Solution

Accepted Solutions

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
7 Replies

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

you should be able to find the causing issue with vpn debug ikeon (turn it off with vpn debug ikeoff) and the opening relevant file (ike.elg) with checkpoint ikeview and see if there are any kind of problem regarding phase 2

0 Kudos
Sangeeth_N
Nickel

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Hi  @Marco_Valenti 

 

I am only able to find phase1 info,  as below :

 
 
 
0 Kudos
Sangeeth_N
Nickel

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

ike.JPG

 

 

 

 

 

 

I am only able to find phase1 info. Couldn't find any phase2 related info from ike.elg file 

0 Kudos
Highlighted

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Try to generate some traffic if you can' t have a phase 2 established check the encryption domain for both gateway involved and vpn community , verify there are no nat rule that match this kind of traffic if there are no need for nat

0 Kudos

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Please click the "+" sign next to "P1" and post another screenshot so we can see how far you are getting in Phase 1.  If Phase 1 is completely succeeding but is immediately followed by a "Delete SA" notification, check the Phase 1 and Phase 2 SA Lifetime timers and make sure they match exactly on both sides.  Note that the Phase 1 timer is expressed in minutes on the Check Point and the Phase 2 timer is expressed in seconds, while most other vendors express both values in seconds.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Sangeeth_N
Nickel

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Hi @Timothy_Hall 

Please find the screenshot as below :

ike.JPG

0 Kudos

Re: Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos