[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Site-Site VPN Phase-1 Messages

Posted on 2011-09-21
9
Medium Priority
?
1,552 Views
1 Endorsement
Last Modified: 2012-05-12
Hi,

We have Site-Site Tunnel between two peers , when i check the Phase-1 Tunnel status some time s it is showing as follows ;

1 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE


                                               or

2 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : AM_ACTIVE_REKEY
2   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_REKEY_DONE_H2

a) From the above tunnel status whaich tunnel status which one is standard is Status 1 or Status 2.

b) AM_ACTIVE_REKEY,waht does it means

c) AM_REKEY_DONE_H2 what does it means

d) what is responder and initiatior roles , which should be the  ideal/ standard one for tunnel up.

Regards
Ramu
1
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1000 total points
ID: 36574139
To answer all in one, normally this could mean that the lifetimes for the tunnel on both sides aren't the same.
After the lifetime expires a rekey is done (a new encryption key is generated). So normally when the lifetimes are the same (as it should be), both sides expire at the same moment, initiate the rekey and carry on. In this case one side is already expiered an initiates a rekey while the other side hasn't expired yet.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 1000 total points
ID: 36574156
Just to add:

Initiator is ASA which initiates VPN. VPN is initiated when there is interesting traffic going through local ASA to remote location, so if traffic is going from your ASA to remote location, your ASA is initiator, remote location is responder. If traffic comes from remote to you, remote ASA is initiator, your ASA is responder. When there is no traffic between peers, VPN is down
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36574247
Hi,

You Mean that a Site-Site VPN Firewall Roles varies by time by time because while Negotiating the Parameters one firewall sends the  other Firewall  Receives and Viceversa.

But my Firewall always showing as responder Role. What does it mean.

Regards
Ramu
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 1000 total points
ID: 36574313
Nothing serious, believe me :) Probably remote side sends traffic more frequently than you or, in other words, remote side initiates the use of services on your side, your side just responds to them  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36585889
Can't add anything to that:)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591418
Hi Erniebeek,

I didnt get you..
Pls clarify me

Regards
ramu
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36592615
:)

I just meant that I agreed with the additional explanation from my fellow expert fgasimzade.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36592616
Or were you pointing at my first post here?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36946802
Thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question