Solved

VPN tunnel failing, not sure why

Posted on 2014-01-05
12
669 Views
Last Modified: 2014-01-06
We had a LAN to LAN tunnel set up on our Watchguard firewalls.
Both FW are same make model. What are these logs telling me?

The VPN was workign for about 18 hours, went down for about 8, then just came back up out of the blue.  These are logs from during the downtime.


2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [Staff_mu] dev:anyE, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [gateway.1] dev:eth1, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Found IKE Policy [gateway.1, dev:eth1] for peer IP:xxx.xxx.35.99, numXform:1, pkt ifIndex:3, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process Notify Payload : NOTIFY-TYPE : 32769 , pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process ISAKMP Notify : from peer 0x5ee42363 protocol 1 SPI e9a69400, pri=7, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadHtoN : net order spi(0xe9 0xa6 0x94 0000) , pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Sending keepalive_request message to xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)******** RECV an IKE packet at xxx.xxx.94.146:500(socket:11 ifIndex:3) from Peer xxx.xxx.35.99:500 ********, pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadNtoH : SPI Size 16 first4(0x0094a6e9), pri=6, proc_id=iked, msg_id=
2014-01-04 22:52:58      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Received a keepalive_ack message from xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:14      FWStatus, ******** RECV message on fd_server(7) ********, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:14      FWStatus, recv CMD XPATH(/ping), need to process it, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [Staff_mu] dev:anyE, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)ike_match_if_name: Match pcy [gateway.1] dev:eth1, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Found IKE Policy [gateway.1, dev:eth1] for peer IP:xxx.xxx.35.99, numXform:1, pkt ifIndex:3, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process Notify Payload : NOTIFY-TYPE : 32768 , pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Process ISAKMP Notify : from peer 0x5ee42363 protocol 1 SPI e9a69400, pri=7, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)******** RECV an IKE packet at xxx.xxx.94.146:500(socket:11 ifIndex:3) from Peer xxx.xxx.35.99:500 ********, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadNtoH : SPI Size 16 first4(0x0094a6e9), pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Received a keepalive_request message from xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)IkeNotifyPayloadHtoN : net order spi(0xe9 0xa6 0x94 0000) , pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:28      FWStatus, (xxx.xxx.94.146<->xxx.xxx.35.99)Sending keepalive_ack message to xxx.xxx.35.99:500, pri=6, proc_id=iked, msg_id=
2014-01-04 22:53:44      FWStatus, ******** RECV message on fd_server(7) ********, pri=7, proc_id=iked, msg_id=
0
Comment
Question by:wannabecraig
  • 5
  • 4
  • 3
12 Comments
 
LVL 11

Accepted Solution

by:
Miftaul earned 400 total points
ID: 39757390
Was the port 500 blocked by something, may be by the ISP.

How did the log look like when IPSec was down.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 39757419
In addition to Keep Alive, you should see timeout settings in the IPsec Phases. These timeout after a period of inactivity. That may be what is causing the issue.

... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757422
This is when the IPSec was down.  port 500 should not have been blocked.
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757430
There is no timeout set, the tunnel is set to keep alive every 30 seconds.  There was also traffic trying to be set out on that connection so it didnt go down because on inactivity.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39757441
I have a policy in the IPsec setting for Juniper Netscreen connections that is called Policy Lifetime. I have my connection set for 8 hours but it can be set for days as well.

I am not saying this is your problem, but it may be worth investigating.

You are saying (I think) that ports are not blocked, so the Policy settings see a reasonable thing to consider.

Servers have a user settings that can allow for disconnection for 8 hours overnight (if you wish to set it).  Are you sure just the tunnel is now, or did resources it connects to go down as well.

... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757450
Just the tunnel, we have a monitor on it and it should be up constantly. There is the option for time limits on it but we have it set through always on.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 11

Expert Comment

by:Miftaul
ID: 39757456
I notice IKE phase1(udp 500) is working fine, but where is phase 2 ESP(IP 50)?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39757459
Both phases have to be up to even connect (at least that is so for Juniper Netscreen)

I wonder if the 8 hour time frame might be a red herring. Reason:  At this point we are looking for things to be gone for 8 hours.

Is it always an 8 hour outage?  

.... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39757528
There was never an 8 hour outage.  Not at this side anyway.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39757567
Your first post says "down for 8"  which is why I asked.

So then, When it drops out, how long (normally) does it drop out for? and does it come back correctly on its own?

.... Thinkpads_User
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39758818
Was an ISP issue, they were blocking access.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39758833
Good that its identified.
Thanks.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now