VPN logs

Moudar · ‎2024-12-01

Hi

When logs from a specific VPN community look like this:

All logs are "key install" what i know is that key installation happens as configured on the advanced settings of the community:

Phase 1: 240 mins

Phase2: 3600 seconds

So why it is happening all the time?

What does that mean, a customer is complaining that they are loosing connection !

How to troubleshoot this problem?

AmirArama · ‎2024-12-01

Start with reading the data inside those logs, see if they are good events, or errors / failures.

the_rock · ‎2024-12-01

Hey bro,

Can we please see the whole log? Just blur out any sensitive data.

Andy

Moudar · ‎2024-12-01

All logs are same:

the_rock · ‎2024-12-02

Thank you! So quick mode would be phase 2 issue...can they verify all the settings do indeed match?

Andy

Moudar · ‎2024-12-02

So in normal cases, how often should we see "key install" log other than the 240 and 3600 defaults?

the_rock · ‎2024-12-02

I know defaults are 1 day for phase 1 and 1 hour for phase 2.

Andy

Moudar · ‎2024-12-02

Under normal circumstances, how often should we see "key install" logs apart from the 240 and 3600 defaults? I mean, how frequently do these logs typically appear?

The tunnel is up so phase 2 is OK i think!

Lesley · ‎2024-12-02

Is there an outage during or before/ after the key install time stamp? From my point of view it looks like you are receiving key install. This could be an indication that the issue should be check on the other side of the tunnel. To proof this theory a vpn debug in ikeview would help

-------
If you like this post please give a thumbs up(kudo)! 🙂

Moudar · ‎2024-12-02

Yes, customer is experience an outage.

I am trying to download the Ikeview but website is down!?

any other link to get Ikeview?

the_rock · ‎2024-12-02

I just tried, worked for me.

Andy

Moudar · ‎2024-12-02

it works now!

On my gateway i have iked0.elg, iked1.elg and iked2.elg

there is no ike.elg and ikev2.xmll !

which one should be used in ikeview?

the_rock · ‎2024-12-02

Either of those should work.

Lesley · ‎2024-12-02

Have you enabled vpn debug truncon for debug start? Reproduce issue and turn off vpn debug truncoff

files rotate on their own no need to delete them. Copy them and load them in ikeview.

if you see remote peer ip in ikeview you are on the right track

-------
If you like this post please give a thumbs up(kudo)! 🙂

Moudar · ‎2024-12-02

the command: vpn debug truncon, can it focus on specific community or it only debugs all S2S VPN?

the_rock · ‎2024-12-02

I dont believe it can be done for specific community.

Moudar · ‎2024-12-02

I can now see this kind of log:

and it is coming very often with different SPI

the_rock · ‎2024-12-02

I would definitely examine phase 2 settings, because thats what those messages relate to.

Andy

Lesley · ‎2024-12-02

Try under vpn comm to change to per gateway or per subnet change between them to see if there is improvement

-------
If you like this post please give a thumbs up(kudo)! 🙂

Moudar · ‎2024-12-02

I have now changed it to "per Gateway" and my gateway started to "key install" on the other side gateway, i will keep an eye on it and back tomorrow with some insights. We have many subnets behind every gateway so maybe this is a better choice.

the_rock · ‎2024-12-02

Hey bro,

I always found that option useful for route based tunnels. Not sure if thats type of tunnel you have, but if it is, it will help, 100%.

Andy

Are you a member of CheckMates?

VPN logs