VPN tunnel goes down after policy push, must be reset to bring it up

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk142355
Technical Level
Product	IPSec VPN
Version	R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	11-Dec-2018
Last Modified	24-Nov-2022

Symptoms

VPN tunnel goes down after policy push, and the user needs to reset the tunnel to bring it up.

In vpnd.elg, this log entry appears:

[vpnd 4874 4102518672]@Gateway[Time Stamp] SAdeleteAll: keep_IKE_SAs is not set

This log entry later appears in vpnd.elg:

[vpnd 4874 4102518672]@Gateway[Time Stamp] findSAByPeer: Valid ISAKMP SA was not found. me=0, peer=aabbccdd

The VPN peer is a 3rd party vendor.
This error appears in vpnd.elg:
TalkToEngine: Engine RC is << FWIKE_ERROR >>
At the same time the error occurs, the 3x DPD packets are missed in the ike.elg file.

Cause

The keep_IKE_SAs option is not enabled.

When this parameter is disabled, policy installation removes all Phase1 and Phase 2 keys.

Enabling this parameter changes the behavior so that the Security Gateway keeps all Phase 1 and Phase 2 keys after a policy installation to work around interoperability issues with 3rd party VPN peers.

Solution

Note: To view this solution you need to Sign In .