Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sangeeth_N
Contributor
Jump to solution

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Hi

 

I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. 

The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Any idea regarding why this issue  occurred.

 

 

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Champion
Champion

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
Timothy_Hall
Champion
Champion

All that means is that you sent an encrypted packet to your peer with an SPI it did not recognize because the tunnel associated with that particular SPI no longer exists on the peer end.  In response the peer sends your firewall a "Delete SA" telling your firewall to delete it on that end.  So the particular tunnel you tried to send to with a nonexistent SPI is "down", yes.  But when some interesting traffic arrives on either end the tunnel should come back up, unless the tunnel can only be initiated in one direction.  However Delete SAs don't really work right in an interoperable scenario, so your firewall's SmartView Monitor will show a VPN tunnel as "up" even though the peer thinks it is down.

Any time you set up a new VPN you need to ensure that either peer can successfully initiate a working tunnel from scratch.  Due to a subnets/Proxy-ID mismatch it is all too common that the VPN can only be successfully initialized in one direction.  So if the interesting traffic arrives at the side that is unable to initiate a working tunnel, the VPN will be down until the other side receives some interesting traffic and tries to bring it up from that end.  Once a tunnel is up and working it generally does not matter which side initiated it, the tunnel will be 2-way for purposes of passing traffic.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
9 Replies
Marco_Valenti
Advisor

you should be able to find the causing issue with vpn debug ikeon (turn it off with vpn debug ikeoff) and the opening relevant file (ike.elg) with checkpoint ikeview and see if there are any kind of problem regarding phase 2

0 Kudos
Sangeeth_N
Contributor

Hi  @Marco_Valenti 

 

I am only able to find phase1 info,  as below :

 
 
 
0 Kudos
Sangeeth_N
Contributor

ike.JPG

 

 

 

 

 

 

I am only able to find phase1 info. Couldn't find any phase2 related info from ike.elg file 

0 Kudos
Marco_Valenti
Advisor

Try to generate some traffic if you can' t have a phase 2 established check the encryption domain for both gateway involved and vpn community , verify there are no nat rule that match this kind of traffic if there are no need for nat

0 Kudos
Timothy_Hall
Champion
Champion

Please click the "+" sign next to "P1" and post another screenshot so we can see how far you are getting in Phase 1.  If Phase 1 is completely succeeding but is immediately followed by a "Delete SA" notification, check the Phase 1 and Phase 2 SA Lifetime timers and make sure they match exactly on both sides.  Note that the Phase 1 timer is expressed in minutes on the Check Point and the Phase 2 timer is expressed in seconds, while most other vendors express both values in seconds.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Sangeeth_N
Contributor

Hi @Timothy_Hall 

Please find the screenshot as below :

ike.JPG

0 Kudos
Timothy_Hall
Champion
Champion

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Matlu
Advisor

Hello, @Timothy_Hall 

One question, please.

This type of logs that you can see in the SmartConsole, is an "evidence" that this VPN is "down"?

VPN1.png

The strange thing is that when I go to the DashBoard of "Tunnel & User Monitoring", I see this VPN up, as if it was working fine.

Cheers. 🙂

0 Kudos
Timothy_Hall
Champion
Champion

All that means is that you sent an encrypted packet to your peer with an SPI it did not recognize because the tunnel associated with that particular SPI no longer exists on the peer end.  In response the peer sends your firewall a "Delete SA" telling your firewall to delete it on that end.  So the particular tunnel you tried to send to with a nonexistent SPI is "down", yes.  But when some interesting traffic arrives on either end the tunnel should come back up, unless the tunnel can only be initiated in one direction.  However Delete SAs don't really work right in an interoperable scenario, so your firewall's SmartView Monitor will show a VPN tunnel as "up" even though the peer thinks it is down.

Any time you set up a new VPN you need to ensure that either peer can successfully initiate a working tunnel from scratch.  Due to a subnets/Proxy-ID mismatch it is all too common that the VPN can only be successfully initialized in one direction.  So if the interesting traffic arrives at the side that is unable to initiate a working tunnel, the VPN will be down until the other side receives some interesting traffic and tries to bring it up from that end.  Once a tunnel is up and working it generally does not matter which side initiated it, the tunnel will be 2-way for purposes of passing traffic.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events