Support Center > Search Results > SecureKnowledge Details
VPN tunnel goes down after policy push, must be reset to bring it up Technical Level
Symptoms
  • VPN tunnel goes down after policy push, and the user needs to reset the tunnel to bring it up.

  • In vpnd.elg, this log entry appears:

    [vpnd 4874 4102518672]@Gateway[Time Stamp] SAdeleteAll: keep_IKE_SAs is not set

    This log entry later appears in vpnd.elg:

    [vpnd 4874 4102518672]@Gateway[Time Stamp] findSAByPeer: Valid ISAKMP SA was not found. me=0, peer=aabbccdd

  • The VPN peer is a 3rd party vendor.

  • This error appears in vpnd.elg:
    TalkToEngine: Engine RC is << FWIKE_ERROR >>
    At the same time the error occurs, the 3x DPD packets are missed in the ike.elg file.

Cause
The keep_IKE_SAs option is not enabled. 

When this parameter is disabled, policy installation removes all Phase1 and Phase 2 keys.
 
Enabling this parameter changes the behavior so that the Security Gateway keeps all Phase 1 and Phase 2 keys after a policy installation to work around interoperability issues with 3rd party VPN peers.


Solution
Note: To view this solution you need to Sign In .