Tunnels initiated with DAIP gateways cannot be re-established if the tunnel is reset

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk109853
Technical Level
Product	IPSec VPN, SmartProvisioning / LSM
Version	R76SP.50, R77.30
Date Created	28-Jan-2016
Last Modified	18-Aug-2019

Symptoms

The central gateway with tunnels to DAIP satellite gateways will not send a delete message when it receives an ESP packet from one of the DAIP gateways with an unknown SPI, despite having the option "Perform an organized shutdown of tunnels upon gateway restart" enabled.
This will cause the tunnel between the central firewall and the DAIP satellites to remain down until the DAIP satellites delete their SAs and renegotiate the tunnel from their end.
A VPN debug will show the following:
"InitiatorStart: Can't send delete SA to SR/DAIP with crash recovery disabled."

Cause

If the central firewall receives an uknown SPI and is unable to resolve the peer to an object (in the event the peer has a dynamically assigned IP address) then it will try to pull the SPI from the crash recovery database to send the delete. The issue here is that the firewall is not properly storing the information in the crash recovery database and thus cannot send a delete message to inform the peer to delete the SA and renegotiate the tunnel.

Solution

Note: To view this solution you need to Sign In .