ALM-303046743 An IPSec tunnel is deleted
Description
IPSEC/4/IPSECTUNNELSTOP: OID [OID] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])
An IPSec tunnel is deleted.
Attribute
Alarm ID |
Alarm Severity |
Alarm Type |
---|---|---|
303046743 |
Warning |
Communication alarm |
Parameters
Name |
Meaning |
---|---|
OID |
Indicates the MIB object ID of the alarm. |
Ifindex |
Indicates the interface index. |
SeqNum |
Indicates the policy number. |
TunnelIndex |
Indicates the tunnel index. |
RuleNum |
Indicates the rule number. |
DstIP |
Indicates the IP address of the peer end of the IPSec tunnel. |
InsideIP |
Indicates the intranet IP address of the peer end of the tunnel. |
RemotePort |
Indicates the port number of the peer end of the IPSec tunnel. |
CpuID |
Indicates the CPU number. |
SrcIP |
Indicates the IP address of the local end of the IPSec tunnel. |
FlowInfo |
Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP. |
offlinereason |
Indicates the reason why the IPSec tunnel was deleted. |
vsys-name |
Indicates the name of the virtual system to which the IPSec policy belongs.
NOTE:
The device does not support this parameter. |
InterfaceName |
Indicates the interface name. |
SlotID |
Indicates the Slot number.
NOTE:
The device does not support this parameter. |
Impact on the System
An IPSec tunnel has been deleted.
Possible Causes
An IPSec tunnel has been deleted due to the following causes:
- dpd timeout: Dead peer detection (DPD) times out.
- peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
- config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
- phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
- phase2 hard expiry: Hard lifetime expires in phase 2.
- heartbeat timeout: heartbeat detection times out.
- re-auth timeout: An SA is deleted due to reauthentication timeout.
- aaa cut user: The AAA module disconnects users.
- hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
- kick old sa with same flow: The old SA is deleted for the same incoming flow.
- spi conflict: An SPI conflict occurs.
- phase1 sa replace: The new IKE SA replaces the old IKE SA.
- phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
- receive invalid spi notify: The device receives an invalid SPI notification.
- dns resolution status change: DNS resolution status changes.
- ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
- exchange timeout: Packet interaction timeout.
Procedure
- Cause: dpd timeout
Perform the ping operation to check link reachability. If the link is unreachable, check the link and network configuration.
- Cause: heartbeat timeout
- Perform the ping operation to check link reachability. If the link is unreachable, check the link configuration.
- Check the heartbeat configuration on the two ends. If the configuration is incorrect, correct it.
- Cause: config modify or manual offline
- Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
- Check whether the IPSec configuration modified on the local end is correct. If not, correct the IPSec configuration.
- Check whether manually deleted IPSec policies are redundant. If they are not redundant, reapply IPSec policies to the interface.
- Cause: phase1 hard expiry
Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.
- Cause: phase2 hard expiry
Check whether the IPSec SA lifetime is proper. If not, modify the IPSec SA lifetime.
- Cause: hard expiry triggered by port mismatch
Check whether the two ends use the same NAT port number. If not, modify the NAT port numbers to be the same.
- Cause: peer request
Check log information of the remote device and determine the causes for the IPSec tunnel fault accordingly.
- Cause: receive invalid spi notify
If this fault occurs frequently, check whether the remote device status or configurations are abnormal.
- Cause: dns resolution status change
- Ensure that the link between the device and DNS server is normal.
- Ensure that the DNS server is working properly.
- Ensure that the domain name configured using the remote-address host-name command is correct.
- Cause: ikev1 phase1-phase2 sa dependent offline
This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, you are advised to run the undo ikev1 phase1-phase2 sa dependent command on the local device to cancel dependency between IPSec SA and IKE SA during IKEv1 negotiation.
- Cause: exchange timeout
Ensure that the link is normal and the IPSec configuration is correct.
- Cause: kick old sa with same flow
Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.
- Cause: aaa cut user, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict
Related Information
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot