Support Center > Search Results > SecureKnowledge Details
VPN Tunnel with remote DAIP fails when there is a link failover Technical Level
Symptoms
  • VPN Tunnel with remote DAIP fails when there is a link failover. (Site-2-Site Tunnel fails when the Remote Peer has ISP Redundancy with a primary interface assigned with a routable IP address, and a secondary interface with a private IP address (behind NAT).)
  • The issue occurs when:
    1. There is a failover from the primary link to the secondary link.
    2. The user performs a reset of IKE SAs on the 1430 Quantum Spark Appliance side (renegotiate Main Mode & Quick Mode)
    3. There is a failback to the primary interface.
    4. The user performs a reset of IPSec SAs on the 1430 Quantum Spark Appliance side.
    5. The Center Gateway drops the QM Packet 1 negotiation packet with "INVALID-ID-INFORMATION".
Cause
The 1430 Quantum Spark Appliance does not reset the tunnel automatically after failover between links when the tunnel is NAT-T. You can pass traffic successfully after a failover from one link to another. However,  when QM renegotiation occurs with no MM preceding it, the HQ cannot resolve the DAIP peer IP and returns an IKE error.


Solution
Note: To view this solution you need to Sign In .