Ike 0:central:2967468: send RETRANSMIT_SA_INIT Ike 0:central: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation Ike 0:central:central-p2: chosen to populate IKE_SA traffic-selectors Now I see a proposal match and some evidence of ph2 but no success overall. Testing on one particular tunnel, I have changed to ike v2 each end and also reset the tunnel at each end. What should be my next step to fault find this issue, any suggestions please? I guess the fact that the central never relpies on 4500 is important? The remote tries 4500 > 500 which also seems odd. The central unit begins the exchange on 4500 but never replies again. Debug at both ends of a tunnel shows identical traffic (nothing is blocked anywhere). Wan2 - remote.4500 -> central.4500: udp 96This exchange lasts for 20 seconds and corresponds to the tunnel up syslog. I have now allowed this traffic.Įach attempt to establish the tunnel includes the following traffic. This was not allowed in the NAT router config. diag debug app ike -1 shows a message being sent from remote:500 to central:4500. syslog shows that both tunnels do occasionally come up for 20 seconds at a time, at random intervals between 2 - 15 minutes apart diag vpn ike gateway list shows both tunnels with approx zero age, packet capture shows most of the traffic is UDP:500 but there is some UDP:4500, establishment traffic is constant (approx 1kbps in both directions for each of the down tunnels), confirmed traffic sent and received on UDP:500 and UDP:4500 both ends, PSK re-entered anyway (no reason to suspect this is the problem), So we currently have 4 tunnels up and 2 tunnels down. I don' t know any event to explain why it came up. One tunnel came up two nights ago and has been up since. Subsequently 3 tunnels failed and have been continuously attempting to establish. The central unit failed recently and was replaced. We previously had an error with the NAT configuration which has been rectified at all remote sites (link above). All tunnels are configured from the same template. All remote sites connect via 3G (the tunnel is our backup path to the remote sites the 3G router is the NAT device). The tunnels are interface based / routed and running ospf. We have a central FGT60C connecting via nat-t ipsec to 6 FGT60C remotes. Comment - at each step, what does a good result look like? I have seen enmoc' s blog post on debugging and tried to work through it. Having trouble with 2 out of 6 ipsec tunnels, all were working previously.Ĭontinues from my previous post debugging ipsec with nat traversal.
0 Comments
Leave a Reply. |