I have seen similar issues in R80.20, R80.30 and R80.40.
Started to monitor VPN connectivity via SNMP following the sk63663
The SNMP Response should return an integer, whose value has the following meanings:
- 3 = VPN tunnel is active
- 4 = VPN tunnel is destroyed
- 129 = VPN tunnel is idle
- 130 = VPN tunnel is during Phase1
- 131 = VPN tunnel is down
- 132 = VPN tunnel is initializing
Right now I think it is due to timing issues with IKE and IPSEC rekeys.
Recommended settings are
IKE Rekey: 1440 (24 hours)
IPSEC rekey: 3600 seconds (1 hour)
so right now I am adjusting all my 3rd party site2site connection to comply to this recommendation and I keep monitoring the tunnel state and then monitoring the ping between a remote IP in the encryption domain.
As an emergency if I cannot get a vpn back online either because if the the following conditions.
While running vpn tu tlist -p <remote peer> it says there is an IPSEC SA but I still cannot ping remote ip inside the encryption domain
Next I would check vpn tu using the CLI vpn tunnel client and check for IKE or IPSEC vpn tunnel has an active tunnel.
Next I would do a tcpdump -penni any host <remote peer> to check if any traffic flows between the public ip and remote peer public ip.
I would as last try clear vpn connection tables. Please note! it will drop all vpn tunnels both s2s and vpn clients.
- fw tab -t orig_route_params -x -y
- vpn tu del all
If one clears the vpn connection table one also need to clear the vpn tunnels afterwards.