Solved

Site-Site VPN Phase-1 Messages

Posted on 2011-09-21
9
1,446 Views
1 Endorsement
Last Modified: 2012-05-12
Hi,

We have Site-Site Tunnel between two peers , when i check the Phase-1 Tunnel status some time s it is showing as follows ;

1 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE


                                               or

2 ) SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : AM_ACTIVE_REKEY
2   IKE Peer: 209.252.176.194
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_REKEY_DONE_H2

a) From the above tunnel status whaich tunnel status which one is standard is Status 1 or Status 2.

b) AM_ACTIVE_REKEY,waht does it means

c) AM_REKEY_DONE_H2 what does it means

d) what is responder and initiatior roles , which should be the  ideal/ standard one for tunnel up.

Regards
Ramu
1
Comment
Question by:RAMU CH
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 36574139
To answer all in one, normally this could mean that the lifetimes for the tunnel on both sides aren't the same.
After the lifetime expires a rekey is done (a new encryption key is generated). So normally when the lifetimes are the same (as it should be), both sides expire at the same moment, initiate the rekey and carry on. In this case one side is already expiered an initiates a rekey while the other side hasn't expired yet.
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574156
Just to add:

Initiator is ASA which initiates VPN. VPN is initiated when there is interesting traffic going through local ASA to remote location, so if traffic is going from your ASA to remote location, your ASA is initiator, remote location is responder. If traffic comes from remote to you, remote ASA is initiator, your ASA is responder. When there is no traffic between peers, VPN is down
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36574247
Hi,

You Mean that a Site-Site VPN Firewall Roles varies by time by time because while Negotiating the Parameters one firewall sends the  other Firewall  Receives and Viceversa.

But my Firewall always showing as responder Role. What does it mean.

Regards
Ramu
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36574313
Nothing serious, believe me :) Probably remote side sends traffic more frequently than you or, in other words, remote side initiates the use of services on your side, your side just responds to them  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36585889
Can't add anything to that:)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591418
Hi Erniebeek,

I didnt get you..
Pls clarify me

Regards
ramu
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36592615
:)

I just meant that I agreed with the additional explanation from my fellow expert fgasimzade.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36592616
Or were you pointing at my first post here?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36946802
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question