< Home

IPSEC-VPN/5/IPSEC_TUNNEL_TEARED_DOWN

Message

IPSEC-VPN/5/IPSEC_TUNNEL_TEARED_DOWN:An IPSec tunnel is teared down. (PolicyName=[policy-name], IfIndex=[if-index], SeqNum=[seq-num], RuleNum=[rule-num], SrcIP=[src-ip], DstIP=[det-ip], InboundSPI=[inboundspi], Slot=[slot-id], CpuID=[cpu-id], OfflineReason=[offline-reason], State=[state])

Description

An IPSec tunnel has been torn down.

Parameters

Parameter Name Parameter Meaning
PolicyName Indicates an IPSec policy name.
IfIndex Indicates an interface index.
SeqNum Indicates the sequence number of the IPSec policy.
RuleNum Indicates the number of an ACL rule.
SrcIP Indicates the source IP address of the IPSec tunnel.
DstIP Indicates the destination IP address of the IPSec tunnel.
InboundSPI Indicates the security parameter index value in the inbound direction.
Slot Indicates the slot ID of the Service Processing Unit (SPU).
CpuID Indicates a CPU ID.
OfflineReason Indicates the cause for tunnel down.
State Indicates the IPSec tunnel status.
  • Normal: The IPSec tunnel is established between the active device and the remote device.
  • Backup: The IPSec tunnel is established between the standby device and the remote device.

Possible Causes

An IPSec tunnel has been torn down due to the following causes:

  • dpd timeout: Dead peer detection (DPD) times out.
  • peer request: The remote end has sent a message, asking the local end to tear down the tunnel.
  • config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted.
  • phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expiry: Hard lifetime expires in phase 2.
  • heartbeat timeout: heartbeat detection times out.
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • re-auth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • spi conflict: An SPI conflict occurs.
  • phase1 sa replace: The new IKE SA replaces the old IKE SA.
  • phase2 sa replace: The new IPSec SA replaces the old IPsec SA.
  • receive invalid spi notify: The device receives an invalid SPI notification.
  • dns resolution status change: DNS resolution status changes.
  • ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
  • exchange timeout: Packet interaction timeout.

Procedure

  • Cause: dpd timeout

    Perform the ping operation to check link reachability. If the link is unreachable, check the link and network configuration.

  • Cause: heartbeat timeout

    1. Perform the ping operation to check link reachability. If the link is unreachable, check the link configuration.

    2. Check the heartbeat configuration on the two ends. If the configuration is incorrect, correct it.

  • Cause: config modify or manual offline

    1. Check whether the tunnel is deleted manually or whether the SA is reset. If so, no operation is required.
    2. Check whether the IPSec configuration modified on the local end is correct. If not, correct the IPSec configuration.
    3. Check whether manually deleted IPSec policies are redundant. If they are not redundant, reapply IPSec policies to the interface.

  • Cause: phase1 hard expiry

    Check whether the IKE SA lifetime is proper. If not, modify the IKE SA lifetime.

  • Cause: phase2 hard expiry

    Check whether the IPSec SA lifetime is proper. If not, modify the IPSec SA lifetime.

  • Cause: hard expiry triggered by port mismatch

    Check whether the two ends use the same NAT port number. If not, modify the NAT port numbers to be the same.

  • Cause: peer request

    Check log information of the remote device and determine the causes for the IPSec tunnel fault accordingly.

  • Cause: receive invalid spi notify

    If this fault occurs frequently, check whether the remote device status or configurations are abnormal.

  • Cause: dns resolution status change

    1. Ensure that the link between the device and DNS server is normal.
    2. Ensure that the DNS server is working properly.
    3. Ensure that the domain name configured using the remote-address host-name command is correct.

  • Cause: ikev1 phase1-phase2 sa dependent offline

    This symptom is normal and no operation is required if the devices at two ends can renegotiate the IKE SA and IPSec SA. Otherwise, you are advised to run the undo ikev1 phase1-phase2 sa dependent command on the local device to cancel dependency between IPSec SA and IKE SA during IKEv1 negotiation.

  • Cause: exchange timeout

    Ensure that the link is normal and the IPSec configuration is correct.

  • Cause: kick old sa with same flow

    Run the ipsec remote traffic-identical accept command to allow branch or other users to quickly access the headquarters network.

  • Cause: aaa cut user, modecfg address soft expiry, re-auth timeout, phase1 sa replace, phase2 sa replace, spi conflict

    This symptom is normal and no operation is required.

Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic