Solved

Site-Site VPN Phase-1 Messages

Posted on 2011-09-21
9
1,458 Views
1 Endorsement
Last Modified: 2012-05-12
Hi,

We have Site-Site Tunnel between two peers , when i check the Phase-1 Tunnel status some time s it is showing as follows ;

1 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE


                                               or

2 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : AM_ACTIVE_REKEY
2   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_REKEY_DONE_H2

a) From the above tunnel status whaich tunnel status which one is standard is Status 1 or Status 2.

b) AM_ACTIVE_REKEY,waht does it means

c) AM_REKEY_DONE_H2 what does it means

d) what is responder and initiatior roles , which should be the  ideal/ standard one for tunnel up.

Regards
Ramu
1
Comment
Question by:RAMU CH
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 36574139
To answer all in one, normally this could mean that the lifetimes for the tunnel on both sides aren't the same.
After the lifetime expires a rekey is done (a new encryption key is generated). So normally when the lifetimes are the same (as it should be), both sides expire at the same moment, initiate the rekey and carry on. In this case one side is already expiered an initiates a rekey while the other side hasn't expired yet.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574156
Just to add:

Initiator is ASA which initiates VPN. VPN is initiated when there is interesting traffic going through local ASA to remote location, so if traffic is going from your ASA to remote location, your ASA is initiator, remote location is responder. If traffic comes from remote to you, remote ASA is initiator, your ASA is responder. When there is no traffic between peers, VPN is down
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36574247
Hi,

You Mean that a Site-Site VPN Firewall Roles varies by time by time because while Negotiating the Parameters one firewall sends the  other Firewall  Receives and Viceversa.

But my Firewall always showing as responder Role. What does it mean.

Regards
Ramu
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574313
Nothing serious, believe me :) Probably remote side sends traffic more frequently than you or, in other words, remote side initiates the use of services on your side, your side just responds to them  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36585889
Can't add anything to that:)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591418
Hi Erniebeek,

I didnt get you..
Pls clarify me

Regards
ramu
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36592615
:)

I just meant that I agreed with the additional explanation from my fellow expert fgasimzade.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36592616
Or were you pointing at my first post here?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36946802
Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 78
ASA RADIUS Authetication for Management Access 13 33
DNS Server 7 59
2960 port config for both PC & SIP phone using QoS 2 13
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question