IKEv2 Load Sharing VPN rekey failures causing outages

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk166897
Technical Level
Product	IPSec VPN
Version	R80.10, R80.20, R80.30, R80.40
Date Created	22-May-2020
Last Modified	31-Oct-2020

Symptoms

VPN Tunnel will form and traffic will pass. IPsec SA rekey causes brief outage for up to a minute.
VPN TU will show that there are multiple IKE SA's for the peer, each with its own peer ID. There should be only one ID for the peer. This is true for Load Sharing VPN, as well, even though there are multiple tunnels for load sharing.
During an IPsec rekey, ikev2.xmll will show successful negotiation. However, vpnd.elg will show that the negotiation times out, and then a new IKE SA is negotiated along with IPsec SA's. Traffic will then function again until the next IPsec rekey attempt.

Cause

This issue reproduces when the resolved peer IP address is different than the main IP address (the IP address in the 'General Properties' tab). This can be a result of different Link Selection methods. The resolved peer IP address, used as key, is pulled from the IPsec SA tables instead of using the main IP address.

There are no unique indicators in vpnd or kernel debugs, but it is possible to check whether the resolved peer IP address in the resolved_link kernel table is different than the main IPaddress . If this is the case and the configuration is IKEv2, the problem will reproduce.

Solution

Note: To view this solution you need to Sign In .