VPN Tunnel Deletion

tsadhu · ‎2020-03-04

I have a VPN Tunnel to SA which I deleted by removing the gateway and the community. I also disabled the related firewall rules. I also deleted the IKE SA + IPsec SA using vpn tu and rechecked with vpn shell.

However there is a switch which was part of the SA encryption domain which is still of use for me.

I need to monitor the snmp for the switch. This snmp must go via a different snmp tunnel. So now in the firewall rule I have -

Src - SNMP tunnel encryption domain

Dst - Switch

VPN - SNMP tunnel

Services - Any

However, I am getting logs of packet dropped with IKE failure of the VPN peer gateway of the SA tunnel which has no element on the firewall. How can I resolve this?

PhoneBoy · ‎2020-03-05

Do you manage the other end of the VPN?
If not, did they remove the VPN configuration as well?

tsadhu · ‎2020-03-05

No, I do not manage the other end of the tunnel.

They asked me to remove the tunnel from the firewall as it was now redirected to another site. Their end of the tunnel is up but now the tunnel SA is with another site firewall.

Will it help if I stop advertising the routes from the SA site?

PhoneBoy · ‎2020-03-06

I would assume so, yes, especially if those routes are causing the traffic to be redirected to a VPN.
Why can't they remove the VPN configuration on the other end?

tsadhu · ‎2020-03-07

They cannot remove the configuration at the other end as it is being reused to create tunnel with another site which is nearer to original SA vpn site.

tsadhu · ‎2020-03-11

Hello,

Thank you for your help. Removing the routes resolved the issue.

Are you a member of CheckMates?

VPN Tunnel Deletion