Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPSec VPN Tunnel Initiation

Good Afternoon/ Evening!

I have a two-part-er I hope is a 'simple one' for everyone!

We have a couple dozen 3rd Party/ Interop IPSec tunnels from customers that all terminate on my CP gateway cluster_R81.10 MGT / R80.40 GWs. Outside of the normal interop weirdness that pops up when building them or troubleshooting them from time to time, everything is solid.

We recently set up a new tunnel that was stuck in phase 1 and we were convinced that we were sending the ISAKMP /key install traffic and receiving no response (captures/ debugs, etc)  --  and the techs on the 3rd party side (Fortinet)  believed they were the ones sending the traffic and getting no response. It turned out to be an ISP network issue.

- But it got us wondering how to determine which side is actually the tunnel 'initiator' - or does this concept not really apply?

- And that ties into the second part -- if you are using Smart View to troubleshoot a tunnel that does not appear at all (because it is 'down) - OR, using the CLI and the < vpn tu > commands to troubleshoot, but there are no IKE/ IPSec SAs for the specific tunnel - Is there any manual intervention that can be taken?   You can't reset a tunnel that is not there -- and you can't delete any IKE/IPsec SAs that are not there. 


0 Kudos
3 Replies

Well, if tunnel is not initiating, doing a reset wont do anything. You can rung below debug and review ike.elg file

from gw expert mode ->

vpn debug trunc

vpn debug ikeon

generate traffic

vpn debug ikeoff

Check $FWDIR/log dir for ike.elg and vpnd* files


0 Kudos

We run those with all standard IPSec tunnel troubleshooting.  When we view the files we can see that our side is sending the phase 1 traffic - and that data corresponds to the packet captures that we run concurrently.



0 Kudos

Imho, the concept of initiator should not really apply when we are talking about ability to establish tunnel.

The de facto initiator is another matter, as it should be the client side.

In terms of what you can see in the logs before the tunnel is established, I'd look for any traffic between public IPs of your gateway and that of interoperable device. It may help to increase the granularity of logs to milliseconds (there is an sk for that).

If the first connection is an inbound one, it is them that initiate the traffic, if it is outbound, it's you.


0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events