Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

IPsec Tunnel with AWS is having an issue

Hi team,

I have 4800 HA and have a tunnel built with AWS using VTI and running BGP over it. Every alternate day the tunnel stops working. I see the SAs are established, BGP sessions are established however traffic flowing through tunnel fails over below errors. 

Other day I found a issue for deleteing VTI interfaces and adding and that had resovled the issue. However none of the remedy is working the tunnel; I even reset the tunnel couple of time, bounced the BGP but no luck.

Any idea?

@;2092013252;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3200 -> xx.xx.32.124:61577 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013252;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53455 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013252;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53453 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013252;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53452 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013252;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.21.54:53812 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013278;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53454 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013278;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3200 -> xx.xx.24.26:49444 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013278;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52899 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013296;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.24.12:445 -> xx.xx.xx.xx:38326 dropped by vpn_encrypt_chain Reason: Could not change connection vpn interface.;
@;2092013296;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.34:49433 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013297;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3200 -> xx.xx.32.150:58372 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013298;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52899 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013300;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53455 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013300;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.21.54:53812 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013322;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52894 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013322;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52893 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013323;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.24.82:2049 -> xx.xx.xx.xx:781 dropped by vpn_encrypt_chain Reason: Could not change connection vpn interface.;
@;2092013324;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.24.12:445 -> xx.xx.xx.xx:36060 dropped by vpn_encrypt_chain Reason: Could not change connection vpn interface.;
@;2092013340;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.5.180:44528 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013340;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3200 -> xx.xx.32.150:58372 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013343;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53455 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013343;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52899 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013344;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:3300 -> xx.xx.24.243:52899 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;
@;2092013365;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 xx.xx.xx.xx:22 -> xx.xx.24.120:53456 dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed;

0 Kudos
3 Replies
mk1
Collaborator

Hello Blason,

We have many VPN tunnels with AWS and all of them work fine. Could you share more information about your setup? What is your Gaia version and your configuration of the VPN tunnels and VTI interfaces?

Thank you!

0 Kudos
Blason_R
Advisor

The appliances are 4800 and its R80.30 having a VTI tunnels with AWS with BGP running over it. Sometimes the tunnel works fine while suddenly it just breaks and starts giving the above error. Then the only thing left is delete the vti interfaces and add it.

0 Kudos
mk1
Collaborator

How did you configure your vpnt IPs? Separate IP per gateway and VIP for the cluster which is used for the BGP sessions?

How did you configure your encryption domains? With empty (dummy) groups, or they contain the actual subnets which you also exchange via BGP?

Did you configure your policy rules with "Directional Match Condition"?

What about "VPN Tunnel Sharing"? We use "One VPN tunnel per Gateway pair".

0 Kudos