Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
T_L
Contributor

IPSec VPN Tunnel Initiation

Good Afternoon/ Evening!

I have a two-part-er I hope is a 'simple one' for everyone!

We have a couple dozen 3rd Party/ Interop IPSec tunnels from customers that all terminate on my CP gateway cluster_R81.10 MGT / R80.40 GWs. Outside of the normal interop weirdness that pops up when building them or troubleshooting them from time to time, everything is solid.

We recently set up a new tunnel that was stuck in phase 1 and we were convinced that we were sending the ISAKMP /key install traffic and receiving no response (captures/ debugs, etc)  --  and the techs on the 3rd party side (Fortinet)  believed they were the ones sending the traffic and getting no response. It turned out to be an ISP network issue.

- But it got us wondering how to determine which side is actually the tunnel 'initiator' - or does this concept not really apply?

- And that ties into the second part -- if you are using Smart View to troubleshoot a tunnel that does not appear at all (because it is 'down) - OR, using the CLI and the < vpn tu > commands to troubleshoot, but there are no IKE/ IPSec SAs for the specific tunnel - Is there any manual intervention that can be taken?   You can't reset a tunnel that is not there -- and you can't delete any IKE/IPsec SAs that are not there. 

Thanks!!

0 Kudos
3 Replies
This widget could not be displayed.