Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 1435 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN site-site tunnel shows as amber signs

NM_1987

Recently, we have noticed that IPSec VPN site-site tunnel shows as amber signs.

Tried to disabled and re-enabled the IPSec VPN tunnel

ipsec statusall | grep Levi
Levi_Singapore-1:  41.193.31.57...155.57.160.2  IKEv2, dpddelay=30s
Levi_Singapore-1:   local:  [41.193.31.57] uses pre-shared key authentication
Levi_Singapore-1:   remote: [155.57.160.2] uses pre-shared key authentication
Levi_Singapore-1:   child:  41.193.31.58/32 === 172.22.97.0/24 TUNNEL, dpdaction=restart
Levi_Singapore-2:   child:  41.193.31.58/32 === 172.22.98.0/24 TUNNEL, dpdaction=restart
Levi_Singapore-3:   child:  41.193.31.58/32 === 172.22.99.0/24 TUNNEL, dpdaction=restart
Levi_Singapore-4:   child:  41.193.31.58/32 === 172.22.84.0/24 TUNNEL, dpdaction=restart
Levi_Singapore-1[2588517]: ESTABLISHED 60 seconds ago, 41.193.31.57[41.193.31.57]...155.57.160.2[155.57.160.2]
Levi_Singapore-1[2588517]: IKEv2 SPIs: bfe03747f40b30bc_i 0dead7ea5e21c3f5_r*, rekeying in 23 hours
Levi_Singapore-1[2588517]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Levi_Singapore-1{417334}:  INSTALLED, TUNNEL, reqid 4214, ESP SPIs: c8e6b4b3_i 34b2bf30_o
Levi_Singapore-1{417334}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
Levi_Singapore-1{417334}:   41.193.31.58/32 === 172.22.97.0/24




This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Would it be possible for you to share a screenshot of the amber signs? Is it on the Control Center of the firewall? 

    Did you check if all the SAs are coming up between the local and remote networks after starting the connection?

    Thanks,

  • 0 in reply to FormerMember

    Thanks Harsh,

    Issue gets resolved upon changing tunnel mode from respond only to intiate mode however, it was configured as intial mode only.

    XG Firewall when in respond only Mode.

     

    XG210_WP03_SFOS 17.5.12 MR-12.HF062020.1# ipsec statusall | grep Levi

    Levi_Singapore-1:  41.193.31.57...155.57.160.2  IKEv2, dpddelay=30s

    Levi_Singapore-1:   local:  [41.193.31.57] uses pre-shared key authentication

    Levi_Singapore-1:   remote: [155.57.160.2] uses pre-shared key authentication

    Levi_Singapore-1:   child:  41.193.31.58/32 === 172.22.97.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-2:   child:  41.193.31.58/32 === 172.22.98.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-3:   child:  41.193.31.58/32 === 172.22.99.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-4:   child:  41.193.31.58/32 === 172.22.84.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-1[2588509]: ESTABLISHED 12 minutes ago, 41.193.31.57[41.193.31.57]...155.57.160.2[155.57.160.2]

    Levi_Singapore-1[2588509]: IKEv2 SPIs: 515c0be35347d704_i 65556f885c6fe150_r*, rekeying in 23 hours

    Levi_Singapore-1[2588509]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

    Levi_Singapore-1{417325}:  INSTALLED, TUNNEL, reqid 4211, ESP SPIs: cf215296_i 34b2bf25_o

    Levi_Singapore-1{417325}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes

    Levi_Singapore-1{417325}:   41.193.31.58/32 === 172.22.97.0/24

     

    XG Firewall when in initiate Mode.

     

    XG210_WP03_SFOS 17.5.16 MR-16-Build830# ipsec statusall | grep Levi

    Levi_Singapore-1:  41.193.31.57...155.57.160.2  IKEv2, dpddelay=30s

    Levi_Singapore-1:   local:  [41.193.31.57] uses pre-shared key authentication

    Levi_Singapore-1:   remote: [155.57.160.2] uses pre-shared key authentication

    Levi_Singapore-1:   child:  41.193.31.58/32 === 172.22.97.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-2:   child:  41.193.31.58/32 === 172.22.98.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-3:   child:  41.193.31.58/32 === 172.22.99.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-4:   child:  41.193.31.58/32 === 172.22.84.0/24 TUNNEL, dpdaction=restart

    Levi_Singapore-5:   child:  41.193.31.58/32 === 172.22.99.216/32 TUNNEL, dpdaction=restart

    Levi_Singapore-1[141]: ESTABLISHED 5 minutes ago, 41.193.31.57[41.193.31.57]...155.57.160.2[155.57.160.2]

    Levi_Singapore-1[141]: IKEv2 SPIs: 744b4bfd148c5a51_i* f2979fbc53ecc1dd_r, rekeying in 23 hours

    Levi_Singapore-1[141]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

    Levi_Singapore-1{470}:  INSTALLED, TUNNEL, reqid 38, ESP SPIs: c0e256d8_i 34b2c31f_o

    Levi_Singapore-1{470}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes

    Levi_Singapore-1{470}:   41.193.31.58/32 === 172.22.97.0/24

    Levi_Singapore-2{471}:  INSTALLED, TUNNEL, reqid 39, ESP SPIs: ca6d38cd_i 34b2c320_o

    Levi_Singapore-2{471}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes

    Levi_Singapore-2{471}:   41.193.31.58/32 === 172.22.98.0/24

    Levi_Singapore-3{472}:  INSTALLED, TUNNEL, reqid 40, ESP SPIs: c0e59a79_i 34b2c321_o

    Levi_Singapore-3{472}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes

    Levi_Singapore-3{472}:   41.193.31.58/32 === 172.22.99.0/24

    Levi_Singapore-4{473}:  INSTALLED, TUNNEL, reqid 41, ESP SPIs: c44e7786_i 34b2c322_o

    Levi_Singapore-4{473}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes

    Levi_Singapore-4{473}:   41.193.31.58/32 === 172.22.84.0/24

    Levi_Singapore-5{474}:  INSTALLED, TUNNEL, reqid 42, ESP SPIs: c33009e8_i 34b2c323_o

    Levi_Singapore-5{474}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes

    Levi_Singapore-5{474}:   41.193.31.58/32 === 172.22.99.216/32

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

Unfiltered HTML