Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SamiH
Contributor

Site2site tunnel reset from SmartView fails

Hi, since 80.40 upgrade we haven't been able to reset tunnels from SmartView. I know I can do that from vpn tu command, but GUI is easier in most cases. The error message displayed is just Smart Monitor: Tunnel resetting failed. Anyone else experiencing similar behaviour?

 

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

Have you opened a TAC case on this?

0 Kudos
SamiH
Contributor

No, had two other issues after R80.40 upgrade that were more pressing. Our cluster failed first if the second node was brought up, but got that fixed. Not entirely sure about the root cause. Then one working tunnel stopped working altogether, some compatibility issue with Juniper interoperable device that started with R80.40. That is now under investigation.

0 Kudos
the_rock
Authority
Authority

I had not see this personally in any version before. Are you using latest smart console version? Does it happen for every VPN tunnel?

0 Kudos
SamiH
Contributor

I downloaded the latest after upgrading to R80.40 and with every vpn tunnel, I believe. Didn't try all of them, since there are quite many, but randomly chosen ones.

0 Kudos
SamiH
Contributor

The version is SmartConsole Build 994000424, Version R80.40.

 

0 Kudos
the_rock
Authority
Authority

Can you send the screenshot of the error?

0 Kudos
maad-pul
Participant

Hi,

Which take are you running for 80.40? Can you verify if vpn tu acually works to reset tunnel? Because I have problem to reset VPN-tunnels from vpn tu (tested both 5 & 7 for given peer) in R80.40 and TAC informed me to try Smart View montior. Which I haven´t tried yet!

0 Kudos
the_rock
Authority
Authority

Thats odd TAC would tell you that, because at least 5 TAC engineers in the past I talked to told me their recommendation is always to have customers reset tunnel via vpn tu and not SV monitor. Personally, and I dont think this is really a secret, SV monitor has been known from long time ago not to give right info and even doing tunnel reset has been flaky, to say the least.

0 Kudos
SamiH
Contributor

Vpn tu resets the tunnel, I have been using that.

Actually just noticed, that mgmt is running just R80.40, gw's are running R80.40 take 120 (latest). Have to try to upgrade mgmt.

0 Kudos
the_rock
Authority
Authority

Honestly, that would personally be my next step. Make sure mgmt is updated to latest code/jumbo and also that you are using latest smart console build. 

0 Kudos
maad-pul
Participant

I will restart a VPN via SmartView Monitor in a couple of hours and see whats happen.


Regarding the problem I have with vpn tu and restart/reset... When i list all IPSec SAs for a given peer (4), I got (No IPSec SAs). Se below! When I do the "vpn tu tlist -p <IP OF THE PEER>"  I got information about 4 IPSEC sa for given peer. and MyTS/Peer TES and tunnel created/expiration shows the correct information.

4

SAs of all instances:

Enter IP of peer (format: xxx.xxx.xxx.xxx): xxx.xxx.xxx.yyy

Peer xxx.xxx.xxx.yyy, NAME SAs:

IKE SA <cfdcc12bda9f10aa,28dec611e06edc4c>
(No IPSec SAs)

 

-------


(4) Site-to-Site tunnels are up:
IPSEC 4
NAT-T 0

0 Kudos
the_rock
Authority
Authority

Ok, so that output literally shows that something is wrong with phase2 or is not coming up at all. If it shows IKE stuff, thats all phase 1, but if it shows you that there are no ipsec SAs, thats 100% sign that phase 2 is not coming up.

0 Kudos
maad-pul
Participant

 Its up according to vpn tu tlist -p <IP OF THE PEER> and I have traffic in those IPSec SA:s but "vpn tu #4" doesn´t show the correct information...

(No IPSec SAs)

0 Kudos
the_rock
Authority
Authority

Ok, I see what you mean...thats odd. Maybe confirm with TAC, because that does not seem normal at all, as option 4 should reflect the status of the tunnel.

0 Kudos