?
Solved

Site-Site VPN Phase-1 Messages

Posted on 2011-09-21
9
Medium Priority
?
1,531 Views
1 Endorsement
Last Modified: 2012-05-12
Hi,

We have Site-Site Tunnel between two peers , when i check the Phase-1 Tunnel status some time s it is showing as follows ;

1 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE


                                               or

2 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : AM_ACTIVE_REKEY
2   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_REKEY_DONE_H2

a) From the above tunnel status whaich tunnel status which one is standard is Status 1 or Status 2.

b) AM_ACTIVE_REKEY,waht does it means

c) AM_REKEY_DONE_H2 what does it means

d) what is responder and initiatior roles , which should be the  ideal/ standard one for tunnel up.

Regards
Ramu
1
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1000 total points
ID: 36574139
To answer all in one, normally this could mean that the lifetimes for the tunnel on both sides aren't the same.
After the lifetime expires a rekey is done (a new encryption key is generated). So normally when the lifetimes are the same (as it should be), both sides expire at the same moment, initiate the rekey and carry on. In this case one side is already expiered an initiates a rekey while the other side hasn't expired yet.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 1000 total points
ID: 36574156
Just to add:

Initiator is ASA which initiates VPN. VPN is initiated when there is interesting traffic going through local ASA to remote location, so if traffic is going from your ASA to remote location, your ASA is initiator, remote location is responder. If traffic comes from remote to you, remote ASA is initiator, your ASA is responder. When there is no traffic between peers, VPN is down
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36574247
Hi,

You Mean that a Site-Site VPN Firewall Roles varies by time by time because while Negotiating the Parameters one firewall sends the  other Firewall  Receives and Viceversa.

But my Firewall always showing as responder Role. What does it mean.

Regards
Ramu
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 1000 total points
ID: 36574313
Nothing serious, believe me :) Probably remote side sends traffic more frequently than you or, in other words, remote side initiates the use of services on your side, your side just responds to them  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36585889
Can't add anything to that:)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591418
Hi Erniebeek,

I didnt get you..
Pls clarify me

Regards
ramu
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36592615
:)

I just meant that I agreed with the additional explanation from my fellow expert fgasimzade.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36592616
Or were you pointing at my first post here?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36946802
Thanks
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question