This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Sangeeth_N
Contributor
‎2019-08-22 09:48 PM

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Jump to solution

Hi

 

I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. 

The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxx

Any idea regarding why this issue  occurred.

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion
‎2019-08-26 04:28 AM
In response to Sangeeth_N

Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply
7 Replies
Marco_Valenti
Advisor
‎2019-08-23 12:07 AM

Jump to solution

you should be able to find the causing issue with vpn debug ikeon (turn it off with vpn debug ikeoff) and the opening relevant file (ike.elg) with checkpoint ikeview and see if there are any kind of problem regarding phase 2

0 Kudos
Reply
Sangeeth_N
Contributor
‎2019-08-23 12:32 AM
In response to Marco_Valenti

Jump to solution

Hi  @Marco_Valenti 

 

I am only able to find phase1 info,  as below :

 
 
 
0 Kudos
Reply
Sangeeth_N
Contributor
‎2019-08-23 12:35 AM
In response to Marco_Valenti

Jump to solution

ike.JPG

 

 

 

 

 

 

I am only able to find phase1 info. Couldn't find any phase2 related info from ike.elg file 

0 Kudos
Reply
Marco_Valenti
Advisor
‎2019-08-23 12:41 AM
In response to Sangeeth_N

Jump to solution

Try to generate some traffic if you can' t have a phase 2 established check the encryption domain for both gateway involved and vpn community , verify there are no nat rule that match this kind of traffic if there are no need for nat

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2019-08-23 07:31 AM
In response to Sangeeth_N

Jump to solution

Please click the "+" sign next to "P1" and post another screenshot so we can see how far you are getting in Phase 1.  If Phase 1 is completely succeeding but is immediately followed by a "Delete SA" notification, check the Phase 1 and Phase 2 SA Lifetime timers and make sure they match exactly on both sides.  Note that the Phase 1 timer is expressed in minutes on the Check Point and the Phase 2 timer is expressed in seconds, while most other vendors express both values in seconds.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Sangeeth_N
Contributor
‎2019-08-25 11:21 PM
In response to Timothy_Hall

Jump to solution

Hi @Timothy_Hall 

Please find the screenshot as below :

ike.JPG

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2019-08-26 04:28 AM
In response to Sangeeth_N

Jump to solution

You made it all the way through IKE Phase 1 as I suspected, then the Delete SA happened immediately after.   Your SA Lifetime timers for Phase 1 and/or Phase 2 do not match, check them on both sides.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply