Updated on 2024-01-25 GMT+08:00

ALM-4285734913 IPSec Tunnel Is Deleted

Description

IPSEC/4/IPSECTUNNELSTOP: OID [OID] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])

An IPSec tunnel is deleted.

Attribute

Alarm ID

Alarm Severity

Alarm Type

4285734913

Major

Communication alarm

Parameters

Name

Meaning

OID

Indicates the MIB object ID of the alarm.

Ifindex

Indicates the interface index.

SeqNum

Indicates the policy number.

TunnelIndex

Indicates the tunnel index.

RuleNum

Indicates the rule number.

DstIP

Indicates the IP address of the peer end of the IPSec tunnel.

InsideIP

Indicates the intranet IP address of the peer end of the tunnel.

RemotePort

Indicates the port number of the peer end of the IPSec tunnel.

CpuID

Indicates the CPU number.

SrcIP

Indicates the IP address of the local end of the IPSec tunnel.

FlowInfo

Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP.

offlinereason

Indicates the reason why the IPSec tunnel was deleted.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.

InterfaceName

Indicates the interface name.

SlotID

Indicates the slot number.

NOTE:

The device does not support this parameter.

Impact on the System

An IPSec tunnel has been deleted.

Possible Causes

An IPSec tunnel has been deleted due to the following causes:

  • dpd timeout: Dead peer detection (DPD) times out.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • kick old sa with same flow: The old SA is deleted for the same incoming flow.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPSec SA.
  • disconnect track nqa/bfd/vrrp: The IPSec tunnel is torn down based on the NQA test instance, NQA group, VRRP, BFD session, or BFD group status.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.

Procedure

  • Cause: dpd timeout

    Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Diagnosis > Ping from the main menu. In the Results area, check the link status of the corresponding device.

    • If the link status is normal, no operation is required.
    • If not, check whether the link and network configurations are correct.
  • Cause: config modify or manual offline
    1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
    2. Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Provisioning Result > Site Configuration Status from the main menu.
    3. On the Configuration Result tab page, click next to a device, click IPSec on the Feature List tab page, and click For Details to view the IPSec status of the corresponding device.
      • If the link status is normal, no operation is required.
      • If not, modify the IPSec configuration.
  • Cause: receive invalid spi notify

    If this fault occurs frequently, check whether the remote device status or configurations are abnormal.

    1. Check the device status.

      Log in to the iMaster NCE-Campus as a tenant administrator. Choose Design > Site Design > Device Management from the main menu, check the status of the corresponding device.

      • If the status is normal, no operation is required.
      • If not, click the device name to go to the details page and locate the fault.
    2. Check the status of IPSec and NHRP on the peer device.
      1. Run the display nhrp peer command to check the NHRP peer table to locate the fault.
      2. Run the display ike sa command to check the SA status. If no IKE SA is established, the IPSec tunnel fails to be set up.
  • Cause: dns resolution status change
    1. Ensure that the link between the device and DNS server is normal.
    2. Ensure that the DNS server is working properly.
    3. Ensure that the domain name configured using the remote-address host-name command is correct.
  • Cause: ikev1 phase1-phase2 sa dependent offline

    This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Provisioning Result > Site Configuration Status from the main menu.

    On the Configuration Result tab page, click next to a device, click IPSec on the Feature List tab page, and click For Details to view the IPSec status of the corresponding device.

    • If the link status is normal, no operation is required.
    • If not, modify the IPSec configuration.
  • Cause: exchange timeout

    Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Diagnosis > Ping from the main menu. In the Results area, check the link status of the corresponding device.

    • If the link status is normal, no operation is required.
    • If not, check whether the link and network configurations are correct.
  • Cause: kick old sa with same flow

    Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.

  • Cause: aaa cut user, disconnect track nqa/bfd/vrrp, modecfg address soft expiry, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict

    This symptom is normal and no operation is required.

Clearing

The alarm needs to be cleared manually.