< Home

IPSEC-VPN_1.3.6.1.4.1.2011.6.122.26.6.2 hwIPSecTunnelStop

Description

IPSEC-VPN/4/IPSECTUNNELSTOP: OID [oid] The IPSec tunnel is deleted. (Ifindex=[Ifindex], SeqNum=[SeqNum],TunnelIndex=[TunnelIndex], RuleNum=[RuleNum], DstIP=[DstIP], InsideIP=[InsideIP], RemotePort=[RemotePort], CpuID=[CpuID], SrcIP=[SrcIP], FlowInfo=[FlowInfo], OfflineReason=[offlinereason], VsysName=[vsys-name], InterfaceName=[InterfaceName], SlotID=[SlotID])

An IPSec tunnel is deleted.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.6.122.26.6.2 Warning Communications alarm

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
Ifindex Indicates the interface index.
SeqNum Indicates the policy number.
TunnelIndex Indicates the tunnel index.
RuleNum Indicates the rule number.
DstIP Indicates the IP address of the peer end of the IPSec tunnel.
InsideIP Indicates the intranet IP address of the peer end of the tunnel.
RemotePort Indicates the port number of the peer end of the IPSec tunnel.
CpuID Indicates the CPU number.
SrcIP Indicates the IP address of the local end of the IPSec tunnel.
FlowInfo Indicates the data flow information of the IPSec tunnel, including the source address, destination address, ACL port number, ACL protocol number, and DSCP.
offlinereason Indicates the reason why the IPSec tunnel was deleted.

vsys-name

Indicates the name of the virtual system to which the IPSec policy belongs.

NOTE:

The device does not support this parameter.
InterfaceName Indicates the interface name.
SlotID

Indicates the Slot number.

NOTE:

The device does not support this parameter.

Impact on the System

An IPSec tunnel has been deleted.

Possible Causes

An IPSec tunnel has been deleted due to the following causes:

  • dpd timeout: Dead peer detection (DPD) times out.
  • peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expiry: Hard lifetime expires in phase 2.
  • heartbeat timeout: heartbeat detection times out.
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.

Procedure

  • Cause: dpd timeout

    Perform the ping operation to check link reachability. If the link is unreachable, check the link and network configuration.

  • Cause: heartbeat timeout

    1. Perform the ping operation to check link reachability. If the link is unreachable, check the link configuration.

    2. Check the heartbeat configuration on the two ends. If the configuration is incorrect, correct it.

  • Cause: config modify or manual offline

    1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
    2. Check whether the IPSec configuration modified on the local end is correct. If not, correct the IPSec configuration.
    3. Check whether manually deleted IPSec policies are redundant. If they are not redundant, reapply IPSec policies to the interface.

  • Cause: phase1 hard expiry

    Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.

  • Cause: phase2 hard expiry

    Check whether the IPSec SA lifetime is proper. If not, modify the IPSec SA lifetime.

  • Cause: hard expiry triggered by port mismatch

    Check whether the two ends use the same NAT port number. If not, modify the NAT port numbers to be the same.

  • Cause: peer request

    Check log information of the remote device and determine the causes for the IPSec tunnel fault accordingly.

  • Cause: receive invalid spi notify

    If this fault occurs frequently, check whether the remote device status or configurations are abnormal.

  • Cause: dns resolution status change

    1. Ensure that the link between the device and DNS server is normal.
    2. Ensure that the DNS server is working properly.
    3. Ensure that the domain name configured using the remote-address host-name command is correct.

  • Cause: ikev1 phase1-phase2 sa dependent offline

    This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, you are advised to run the undo ikev1 phase1-phase2 sa dependent command on the local device to cancel dependency between IPSec SA and IKE SA during IKEv1 negotiation.

  • Cause: exchange timeout

    Ensure that the link is normal and the IPSec configuration is correct.

  • Cause: kick old sa with same flow

    Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.

  • Cause: aaa cut user, modecfg address soft expiry, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict

    This symptom is normal and no operation is required.

Related Information

IPSec_1.3.6.1.4.1.2011.6.122.26.6.1 hwIPSecTunnelStart
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >