10.2.143.226 <-> 203.199.178.211 is the traffic flow we want to protect
10.2.143 is on my side .
sometimes the peer say they cannot access the server through vpn
show security ike security-associations
show security ipsec security-associations
is normal
sometimes like this ,but i still can ping
<131081 ESP:3des/md5 80b58d6 expir/expir - root 500 203.199.178.219
>131081 ESP:3des/md5 c0b8de99 expir/expir - root 500 203.199.178.219
here is the session information
Session ID: 20015439, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 10, Valid
In: 10.2.143.226/47 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/47;icmp, If: st0.9, Pkts: 0, Bytes: 0
Session ID: 20151015, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 18, Valid
In: 10.2.143.226/51 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/51;icmp, If: st0.9, Pkts: 0, Bytes: 0
Session ID: 20246623, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 10, Valid
In: 10.2.143.226/48 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/48;icmp, If: st0.9, Pkts: 0, Bytes: 0
when check log i can see many logs like this
Oct 28 05:31:42 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:47 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:49 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=AK煨^A"M- 燗N@, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Received delete notification [spi=^D`漆V>蚟HX㎎A^W隡-^KxAK煨uL, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:23:47 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:23:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:23:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=8090eaa, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:24:51 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:25:01 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:25:01 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=8ffb5ca, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:25:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:26:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:26:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=87bec22, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 07:22:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 07:23:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 07:23:17 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
when i excute
clear security ipsec security-associations index 131081 .i can ping again .so is there anyone who meet his before