Solved

Site-Site VPN Phase-1 Messages

Posted on 2011-09-21
9
1,507 Views
1 Endorsement
Last Modified: 2012-05-12
Hi,

We have Site-Site Tunnel between two peers , when i check the Phase-1 Tunnel status some time s it is showing as follows ;

1 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE


                                               or

2 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : AM_ACTIVE_REKEY
2   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_REKEY_DONE_H2

a) From the above tunnel status whaich tunnel status which one is standard is Status 1 or Status 2.

b) AM_ACTIVE_REKEY,waht does it means

c) AM_REKEY_DONE_H2 what does it means

d) what is responder and initiatior roles , which should be the  ideal/ standard one for tunnel up.

Regards
Ramu
1
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 36574139
To answer all in one, normally this could mean that the lifetimes for the tunnel on both sides aren't the same.
After the lifetime expires a rekey is done (a new encryption key is generated). So normally when the lifetimes are the same (as it should be), both sides expire at the same moment, initiate the rekey and carry on. In this case one side is already expiered an initiates a rekey while the other side hasn't expired yet.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574156
Just to add:

Initiator is ASA which initiates VPN. VPN is initiated when there is interesting traffic going through local ASA to remote location, so if traffic is going from your ASA to remote location, your ASA is initiator, remote location is responder. If traffic comes from remote to you, remote ASA is initiator, your ASA is responder. When there is no traffic between peers, VPN is down
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36574247
Hi,

You Mean that a Site-Site VPN Firewall Roles varies by time by time because while Negotiating the Parameters one firewall sends the  other Firewall  Receives and Viceversa.

But my Firewall always showing as responder Role. What does it mean.

Regards
Ramu
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574313
Nothing serious, believe me :) Probably remote side sends traffic more frequently than you or, in other words, remote side initiates the use of services on your side, your side just responds to them  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36585889
Can't add anything to that:)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591418
Hi Erniebeek,

I didnt get you..
Pls clarify me

Regards
ramu
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36592615
:)

I just meant that I agreed with the additional explanation from my fellow expert fgasimzade.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36592616
Or were you pointing at my first post here?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36946802
Thanks
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question