Help Center/ Huawei Qiankun CloudService/ More Documents/ Device Alarm Handling/ WAC&AP Alarms/ ALM-303046743 An IPSec tunnel is deleted
Updated on 2024-01-25 GMT+08:00
View PDF
Share

ALM-303046743 An IPSec tunnel is deleted

Description

IPSEC/4/IPSECTUNNELSTOP: OID [OID] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])

An IPSec tunnel is deleted.

Attribute

Alarm ID

Alarm Severity

Alarm Type

303046743

Warning

Communication alarm

Parameters

Name

Meaning

OID

Indicates the MIB object ID of the alarm.

Ifindex

Indicates the interface index.

SeqNum

Indicates the policy number.

TunnelIndex

Indicates the tunnel index.

RuleNum

Indicates the rule number.

DstIP

Indicates the IP address of the peer end of the IPSec tunnel.

InsideIP

Indicates the intranet IP address of the peer end of the tunnel.

RemotePort

Indicates the port number of the peer end of the IPSec tunnel.

CpuID

Indicates the CPU number.

SrcIP

Indicates the IP address of the local end of the IPSec tunnel.

FlowInfo

Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP.

offlinereason

Indicates the reason why the IPSec tunnel was deleted.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName

Indicates the interface name.

SlotID

Indicates the Slot number.

NOTE:

The device does not support this parameter.

Impact on the System

An IPSec tunnel has been deleted.

Possible Causes

An IPSec tunnel has been deleted due to the following causes:

  • dpd timeout: Dead peer detection (DPD) times out.
  • peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expiry: Hard lifetime expires in phase 2.
  • heartbeat timeout: heartbeat detection times out.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • kick old sa with same flow: The old SA is deleted for the same incoming flow.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.

Procedure

  • Cause: dpd timeout

    Perform the ping operation to check link reachability. If the link is unreachable, check the link and network configuration.

  • Cause: heartbeat timeout
    1. Perform the ping operation to check link reachability. If the link is unreachable, check the link configuration.
    2. Check the heartbeat configuration on the two ends. If the configuration is incorrect, correct it.
  • Cause: config modify or manual offline
    1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
    2. Check whether the IPSec configuration modified on the local end is correct. If not, correct the IPSec configuration.
    3. Check whether manually deleted IPSec policies are redundant. If they are not redundant, reapply IPSec policies to the interface.
  • Cause: phase1 hard expiry

    Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.

  • Cause: phase2 hard expiry

    Check whether the IPSec SA lifetime is proper. If not, modify the IPSec SA lifetime.

  • Cause: hard expiry triggered by port mismatch

    Check whether the two ends use the same NAT port number. If not, modify the NAT port numbers to be the same.

  • Cause: peer request

    Check log information of the remote device and determine the causes for the IPSec tunnel fault accordingly.

  • Cause: receive invalid spi notify

    If this fault occurs frequently, check whether the remote device status or configurations are abnormal.

  • Cause: dns resolution status change
    1. Ensure that the link between the device and DNS server is normal.
    2. Ensure that the DNS server is working properly.
    3. Ensure that the domain name configured using the remote-address host-name command is correct.
  • Cause: ikev1 phase1-phase2 sa dependent offline

    This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, you are advised to run the undo ikev1 phase1-phase2 sa dependent command on the local device to cancel dependency between IPSec SA and IKE SA during IKEv1 negotiation.

  • Cause: exchange timeout

    Ensure that the link is normal and the IPSec configuration is correct.

  • Cause: kick old sa with same flow

    Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.

  • Cause: aaa cut user, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict

    This symptom is normal and no operation is required.

Related Information

ALM-303046742 An IPSec tunnel is established

Parent topic: WAC&AP Alarms