SRX Services Gateway
Highlighted
SRX Services Gateway

VPN Logs.

‎10-22-2015 03:12 AM

I am countinously seeing the below logs messages on my SRX node 3400 series. Can any one help me in understanding what these logs are generated for.

 

Oct 22 09:57:16 FW01 (FPC Slot 3, PIC Slot 0) SPC3_PIC0 kmd[181]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: VPN1 Gateway: VPN1, Local: 1.5.4.9/500, Remote: 1.27.2.42/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 7

 

Above logs occuring for multiple VPN and occur very frequently. Can someone please help me in this.

 

Thanks!!

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: VPN Logs.

‎10-22-2015 03:32 AM

Hello eguanih ,

 

This message indicates that when the VPN re-negotiates , it  could nort establish the tunnel in Data Plane since it already have a active tunnel in Data Plane for same SA . 

generally this message comes when there is an active tunnel at one end and the other end tried to re-negotiate , when its hard life timer expires .

 

 

Please check if you do see tunnel flaps related to this tunnel . If not , you can ignore this . But if you do see an impact on this tunnel . Its adviced to opena JTAC ticket to confirm if this is software related issue ( PR ) .

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: VPN Logs.

‎10-22-2015 04:36 AM

Thanks for you response can you please advice, as you said one tunnel is active and still the other one is inactive may be bcz its hard timer expires. So is it possible that its because of the some timer mismatch, or is it possible to modify some timers in order to make this issue fix.

Tunnel interfaces flaps sometimes and sometimes they dont.

Highlighted
SRX Services Gateway

Re: VPN Logs.

‎10-22-2015 04:53 AM

Hello ,

 

It is also possible in case we have the ipsec lifetime mismatch also . when the soft timer on one end expires and the other still hold the active  SA .

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: VPN Logs.

‎10-22-2015 11:37 PM

Hello ,

 

Samll corerction here , there will not be any IPSEc Life time mismatch here since the lowerst value will be always prefered .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Feedback