Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

VPN tunnel failing, not sure why

Posted on 2014-01-05
12
692 Views
Last Modified: 2014-01-06
We had a LAN to LAN tunnel set up on our Watchguard firewalls.
Both FW are same make model. What are these logs telling me?

The VPN was workign for about 18 hours, went down for about 8, then just came back up out of the blue.  These are logs from during the downtime.


2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [Staff_mu] dev:anyE, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [gateway.1] dev:eth1, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Found IKE Policy [gateway.1, dev:eth1] for peer IP:xxx.xxx.35.99, numXform:1, pkt ifIndex:3, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process Notify Payload : NOTIFY-TYPE : 32769 , pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process ISAKMP Notify : from peer 0x5ee42363 protocol 1 SPI e9a69400, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadHtoN : net order spi(0xe9 0xa6 0x94 0000) , pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Sending keepalive_request message to xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)******** RECV an IKE packet at xxx.xxx.94.146:500(socket:11 ifIndex:3) from Peer xxx.xxx.35.99:500 ********, pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadNtoH : SPI Size 16 first4(0x0094a6e9), pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Received a keepalive_ack message from xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:14      FWStatus, ******** RECV message on fd_server(7) ********, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:14      FWStatus, recv CMD XPATH(/ping), need to process it, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [Staff_mu] dev:anyE, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [gateway.1] dev:eth1, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Found IKE Policy [gateway.1, dev:eth1] for peer IP:xxx.xxx.35.99, numXform:1, pkt ifIndex:3, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process Notify Payload : NOTIFY-TYPE : 32768 , pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process ISAKMP Notify : from peer 0x5ee42363 protocol 1 SPI e9a69400, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)******** RECV an IKE packet at xxx.xxx.94.146:500(socket:11 ifIndex:3) from Peer xxx.xxx.35.99:500 ********, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadNtoH : SPI Size 16 first4(0x0094a6e9), pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Received a keepalive_request message from xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadHtoN : net order spi(0xe9 0xa6 0x94 0000) , pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Sending keepalive_ack message to xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:44      FWStatus, ******** RECV message on fd_server(7) ********, pri=7, proc_id=iked, msg_id=
0
Comment
Question by:wannabecraig
  • 5
  • 4
  • 3
12 Comments
 
LVL 11

Accepted Solution

by:
Miftaul earned 400 total points
ID: 39757390
Was the port 500 blocked by something, may be by the ISP.

How did the log look like when IPSec was down.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 39757419
In addition to Keep Alive, you should see timeout settings in the IPsec Phases. These timeout after a period of inactivity. That may be what is causing the issue.

... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757422
This is when the IPSec was down.  port 500 should not have been blocked.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 1

Author Comment

by:wannabecraig
ID: 39757430
There is no timeout set, the tunnel is set to keep alive every 30 seconds.  There was also traffic trying to be set out on that connection so it didnt go down because on inactivity.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39757441
I have a policy in the IPsec setting for Juniper Netscreen connections that is called Policy Lifetime. I have my connection set for 8 hours but it can be set for days as well.

I am not saying this is your problem, but it may be worth investigating.

You are saying (I think) that ports are not blocked, so the Policy settings see a reasonable thing to consider.

Servers have a user settings that can allow for disconnection for 8 hours overnight (if you wish to set it).  Are you sure just the tunnel is now, or did resources it connects to go down as well.

... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757450
Just the tunnel, we have a monitor on it and it should be up constantly. There is the option for time limits on it but we have it set through always on.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39757456
I notice IKE phase1(udp 500) is working fine, but where is phase 2 ESP(IP 50)?
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39757459
Both phases have to be up to even connect (at least that is so for Juniper Netscreen)

I wonder if the 8 hour time frame might be a red herring. Reason:  At this point we are looking for things to be gone for 8 hours.

Is it always an 8 hour outage?  

.... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757528
There was never an 8 hour outage.  Not at this side anyway.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39757567
Your first post says "down for 8"  which is why I asked.

So then, When it drops out, how long (normally) does it drop out for? and does it come back correctly on its own?

.... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39758818
Was an ISP issue, they were blocking access.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39758833
Good that its identified.
Thanks.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN 101 - how and which protocol? 9 120
Setting up VPN on a virtual machine for iPhone Users 4 100
ASA AnyConnect tunneling 3 44
ASA configuration 2 39
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question