The Narrowing is an IKEv2 feature where one side narrows the TS (Traffic Selectors - the Encryption Domains proposed for the tunnel) requested by the other side.
Technically, the FW kernel instance that owned the tunnel traps the VPN daemon for generating a specific IPsec SA. If the Narrowing occurs during the IKE negotiation, the created SA may be stored in a different FW instance. This is because the TSs are considered when calculating the designated tunnel instance. Therefore, this FW instance flip can be the root cause of the outage that results from Narrowing.
In another case, SecureXL fails to find encryption keys because of the unnecessary narrowing process and drops the packet.
FW traps VPND to renegotiate the tunnel because of a missing outbound SA message sent by PPAK.
Possible reasons for Narrowing:
- Narrowing of traffic selectors usually happens if some subnet address range fragments are associated with another Security Gateway managed by the same Security Management Server (overlapping).
- When there is a simple mismatch in VPN configuration with the peer.