This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Debon27
Explorer
‎2021-06-29 02:43 PM

VPN IKEv2 stuck in IKE_SA_INIT

Hi, we are facing an issue on an IPSEC tunnel (third party peer) which was working some days ago, but after some time it went down and now it is not even possible to establish phase1. I am seeing the following messages in the vpn.elg file:

[ikev2] Exchange::handleEvent: Exchange 43362 timed out
[ikev2] Exchange::terminate: Terminating the exchange (exchange 43362)
[ikev2] Exchange::terminate: Complete exchange (exchange 43362)
[ikev2] ikeInitialExchange_i::completeStart: invalid incomming message.
[ikev2] Exchange::setStatus: Status is already final (timeout (final)) and cannot be changed to error (final)..
[ikev2] Exchange::completeExchange: completeStart failed (-1).
[ikev2] Exchange::notifyObjsUponTriggeredEvent: enter with event: 3
[ikev2] Exchange::notifyObjsUponTriggeredEvent: None registered for this exchange
[ikev2] ikeOrder: refcount for 43361 increased to 2
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: Exchange 'Initial for initiator' (id: 43362) has failed. status=timeout (final), state=waiting for arriving message
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: notify registered objects that the exchange failed
[ikev2] Exchange::notifyObjsUponTriggeredEvent: enter with event: 3
[ikev2] Exchange::notifyObjsUponTriggeredEvent: None registered for this exchange
[ikev2] ikeExchangeFlowHandler::exchangeCompleted: Unrecoverable error of exchange 'Initial for initiator'. will not continue (id: 43362)
[ikev2] vpn1IKEConfiguration::updateExchCache: schedule to remove peer entry from cache in 120 secs.

After capturing traffic with tcpdump, I can see Initiator Request and Responder Response packats continuosly but it looks like the Gateway is ignoring the peer response packets for some reason, and giving a timeout because it is not receiving the message it expects. Any idea about what could be bringing this issue? Thanks.

0 Kudos
1 Reply
Timothy_Hall
Legend Legend
Legend
‎2021-06-30 07:31 AM

Code level and JHFA?

Unfortunately stability issues with IKEv2 in interoperable scenarios are pretty common, but there have been a large number of fixes in the recent releases and Jumbo HFAs.  You will need to enable IKE debugging and view the IKEv2 packets in ikeview to have any hope of figuring out what is going on.  

sk30994: What is the IKEView utility?

sk34467: Debugging Site-to-Site VPN

Can you fall back to IKEv1?

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top