Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Debon27
Explorer

VPN IKEv2 stuck in IKE_SA_INIT

Hi, we are facing an issue on an IPSEC tunnel (third party peer) which was working some days ago, but after some time it went down and now it is not even possible to establish phase1. I am seeing the following messages in the vpn.elg file:

[ikev2] Exchange::handleEvent: Exchange 43362 timed out
[ikev2] Exchange::terminate: Terminating the exchange (exchange 43362)
[ikev2] Exchange::terminate: Complete exchange (exchange 43362)
[ikev2] ikeInitialExchange_i::completeStart: invalid incomming message.
[ikev2] Exchange::setStatus: Status is already final (timeout (final)) and cannot be changed to error (final)..
[ikev2] Exchange::completeExchange: completeStart failed (-1).
[ikev2] Exchange::notifyObjsUponTriggeredEvent: enter with event: 3
[ikev2] Exchange::notifyObjsUponTriggeredEvent: None registered for this exchange
[ikev2] ikeOrder: refcount for 43361 increased to 2
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: Exchange 'Initial for initiator' (id: 43362) has failed. status=timeout (final), state=waiting for arriving message
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: notify registered objects that the exchange failed
[ikev2] Exchange::notifyObjsUponTriggeredEvent: enter with event: 3
[ikev2] Exchange::notifyObjsUponTriggeredEvent: None registered for this exchange
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: Unrecoverable error of exchange 'Initial for initiator'. will not continue (id: 43362)
[ikev2] vpn1IKEConfiguration::updateExchCache: schedule to remove peer entry from cache in 120 secs.

After capturing traffic with tcpdump, I can see Initiator Request and Responder Response packats continuosly but it looks like the Gateway is ignoring the peer response packets for some reason, and giving a timeout because it is not receiving the message it expects. Any idea about what could be bringing this issue? Thanks.

0 Kudos
1 Reply
Timothy_Hall
Champion
Champion

Code level and JHFA?

Unfortunately stability issues with IKEv2 in interoperable scenarios are pretty common, but there have been a large number of fixes in the recent releases and Jumbo HFAs.  You will need to enable IKE debugging and view the IKEv2 packets in ikeview to have any hope of figuring out what is going on.  

sk30994: What is the IKEView utility?

sk34467: Debugging Site-to-Site VPN

Can you fall back to IKEv1?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events