Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN issue

Status
Not open for further replies.

rn4it

MIS
Nov 7, 2002
671
CA
I'm just trying to figure out what happened with our VPN tunnels last night. here's the counfiguration.
Head office Nokia IP530 (VRRP) CP NG AI R54
Branch office Netscreens.

Last night all VPNs were up until approx 1 hour after the primary FW reboot and came online as master. The primary FW needed a reboot to correct an issue with its logging traffic. It had been up for approx 2yrs+ without a reboot.

While looking into why our Node monitor was showing that the VPNs dropped. Phase 1 and Phase 2 were up, from the logfiles on the CP FW we saw traffic being encrypted and decrypted. we only saw some invalid SA error in regard to our Node monitor. We get this from time to time, and usually get this corrected by modifying the object on the netscreen side and back. this time is din't work. After receiving a call from the business stating that the branch coulnd't connect, we looked further into it. we saw the following.
CP/IP530
tcpdump on the CP internal interface saw traffic moving bi-directionally. Phase 1 and 2 established and no errors in the FW logfile.

Netscreen
Phase 1 and 2 established, a debug flow basic showed traffic leaving, but not returning. Uni-direction communication. ie using ping icmp requests would leave, but would not icmp replies even though ping is allowed and was working before.

We then after scheduling with the business forced a VRRP failover. The VPN sites then came back up. So any ideas? Keep in mind the Primary FW was working, then was rebooted and came back as primary. An hour later the communication dropped, but phase 1 and phase 2 were up. So configurations are fine.

thanks
John
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top