ALM-4285734913 IPSec Tunnel Is Deleted

Description

IPSEC/4/IPSECTUNNELSTOP: OID [OID] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])

An IPSec tunnel is deleted.

Attribute

Alarm ID	Alarm Severity	Alarm Type
4285734913	Major	Communication alarm

Parameters

Name	Meaning
OID	Indicates the MIB object ID of the alarm.
Ifindex	Indicates the interface index.
SeqNum	Indicates the policy number.
TunnelIndex	Indicates the tunnel index.
RuleNum	Indicates the rule number.
DstIP	Indicates the IP address of the peer end of the IPSec tunnel.
InsideIP	Indicates the intranet IP address of the peer end of the tunnel.
RemotePort	Indicates the port number of the peer end of the IPSec tunnel.
CpuID	Indicates the CPU number.
SrcIP	Indicates the IP address of the local end of the IPSec tunnel.
FlowInfo	Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP.
offlinereason	Indicates the reason why the IPSec tunnel was deleted.
vsys-name	Indicates the name of the virtual system to which the IPSec policy belongs. NOTE: The device does not support this parameter.
InterfaceName	Indicates the interface name.
SlotID	Indicates the slot number. NOTE: The device does not support this parameter.

Impact on the System

An IPSec tunnel has been deleted.

Possible Causes

An IPSec tunnel has been deleted due to the following causes:

dpd timeout: Dead peer detection (DPD) times out.
config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
re-auth timeout: An SA is deleted due to reauthentication timeout.
aaa cut user: The AAA module disconnects users.
kick old sa with same flow: The old SA is deleted for the same incoming flow.
spi conflict: An SPI conflict occurs.
phase1 sa replace: The new IKE SA replaces the old IKE SA.
phase2 sa replace: The new IPSec SA replaces the old IPSec SA.
disconnect track nqa/bfd/vrrp: The IPSec tunnel is torn down based on the NQA test instance, NQA group, VRRP, BFD session, or BFD group status.
receive invalid spi notify: The device receives an invalid SPI notification.
dns resolution status change: DNS resolution status changes.
ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
exchange timeout: Packet interaction timeout.

Procedure

Cause: dpd timeout
Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Diagnosis > Ping from the main menu. In the Results area, check the link status of the corresponding device.
- If the link status is normal, no operation is required.
- If not, check whether the link and network configurations are correct.
Cause: config modify or manual offline
1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
2. Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Provisioning Result > Site Configuration Status from the main menu.
3. On the Configuration Result tab page, click next to a device, click IPSec on the Feature List tab page, and click For Details to view the IPSec status of the corresponding device.
  - If the link status is normal, no operation is required.
  - If not, modify the IPSec configuration.
Cause: receive invalid spi notify
If this fault occurs frequently, check whether the remote device status or configurations are abnormal.
1. Check the device status.
  Log in to the iMaster NCE-Campus as a tenant administrator. Choose Design > Site Design > Device Management from the main menu, check the status of the corresponding device.
  - If the status is normal, no operation is required.
  - If not, click the device name to go to the details page and locate the fault.
2. Check the status of IPSec and NHRP on the peer device.
  1. Run the display nhrp peer command to check the NHRP peer table to locate the fault.
  2. Run the display ike sa command to check the SA status. If no IKE SA is established, the IPSec tunnel fails to be set up.
Cause: dns resolution status change
1. Ensure that the link between the device and DNS server is normal.
2. Ensure that the DNS server is working properly.
3. Ensure that the domain name configured using the remote-address host-name command is correct.
Cause: ikev1 phase1-phase2 sa dependent offline
This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Provisioning Result > Site Configuration Status from the main menu.

On the Configuration Result tab page, click next to a device, click IPSec on the Feature List tab page, and click For Details to view the IPSec status of the corresponding device.
- If the link status is normal, no operation is required.
- If not, modify the IPSec configuration.
Cause: exchange timeout
Log in to the iMaster NCE-Campus as a tenant administrator. Choose Maintenance > Diagnosis > Ping from the main menu. In the Results area, check the link status of the corresponding device.
- If the link status is normal, no operation is required.
- If not, check whether the link and network configurations are correct.
Cause: kick old sa with same flow
Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.
Cause: aaa cut user, disconnect track nqa/bfd/vrrp, modecfg address soft expiry, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict
This symptom is normal and no operation is required.