IPSec VPN Tunnel Initiation

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Good Afternoon/ Evening!

I have a two-part-er I hope is a 'simple one' for everyone!

We have a couple dozen 3rd Party/ Interop IPSec tunnels from customers that all terminate on my CP gateway cluster_R81.10 MGT / R80.40 GWs. Outside of the normal interop weirdness that pops up when building them or troubleshooting them from time to time, everything is solid.

We recently set up a new tunnel that was stuck in phase 1 and we were convinced that we were sending the ISAKMP /key install traffic and receiving no response (captures/ debugs, etc) -- and the techs on the 3rd party side (Fortinet) believed they were the ones sending the traffic and getting no response. It turned out to be an ISP network issue.

- But it got us wondering how to determine which side is actually the tunnel 'initiator' - or does this concept not really apply?

- And that ties into the second part -- if you are using Smart View to troubleshoot a tunnel that does not appear at all (because it is 'down) - OR, using the CLI and the < vpn tu > commands to troubleshoot, but there are no IKE/ IPSec SAs for the specific tunnel - Is there any manual intervention that can be taken? You can't reset a tunnel that is not there -- and you can't delete any IKE/IPsec SAs that are not there.

Thanks!!