I'm just trying to figure out what happened with our VPN tunnels last night. here's the counfiguration.
Head office Nokia IP530 (VRRP) CP NG AI R54
Branch office Netscreens.
Last night all VPNs were up until approx 1 hour after the primary FW reboot and came online as master. The primary FW needed a reboot to correct an issue with its logging traffic. It had been up for approx 2yrs+ without a reboot.
While looking into why our Node monitor was showing that the VPNs dropped. Phase 1 and Phase 2 were up, from the logfiles on the CP FW we saw traffic being encrypted and decrypted. we only saw some invalid SA error in regard to our Node monitor. We get this from time to time, and usually get this corrected by modifying the object on the netscreen side and back. this time is din't work. After receiving a call from the business stating that the branch coulnd't connect, we looked further into it. we saw the following.
CP/IP530
tcpdump on the CP internal interface saw traffic moving bi-directionally. Phase 1 and 2 established and no errors in the FW logfile.
Netscreen
Phase 1 and 2 established, a debug flow basic showed traffic leaving, but not returning. Uni-direction communication. ie using ping icmp requests would leave, but would not icmp replies even though ping is allowed and was working before.
We then after scheduling with the business forced a VRRP failover. The VPN sites then came back up. So any ideas? Keep in mind the Primary FW was working, then was rebooted and came back as primary. An hour later the communication dropped, but phase 1 and phase 2 were up. So configurations are fine.
thanks
John
Head office Nokia IP530 (VRRP) CP NG AI R54
Branch office Netscreens.
Last night all VPNs were up until approx 1 hour after the primary FW reboot and came online as master. The primary FW needed a reboot to correct an issue with its logging traffic. It had been up for approx 2yrs+ without a reboot.
While looking into why our Node monitor was showing that the VPNs dropped. Phase 1 and Phase 2 were up, from the logfiles on the CP FW we saw traffic being encrypted and decrypted. we only saw some invalid SA error in regard to our Node monitor. We get this from time to time, and usually get this corrected by modifying the object on the netscreen side and back. this time is din't work. After receiving a call from the business stating that the branch coulnd't connect, we looked further into it. we saw the following.
CP/IP530
tcpdump on the CP internal interface saw traffic moving bi-directionally. Phase 1 and 2 established and no errors in the FW logfile.
Netscreen
Phase 1 and 2 established, a debug flow basic showed traffic leaving, but not returning. Uni-direction communication. ie using ping icmp requests would leave, but would not icmp replies even though ping is allowed and was working before.
We then after scheduling with the business forced a VRRP failover. The VPN sites then came back up. So any ideas? Keep in mind the Primary FW was working, then was rebooted and came back as primary. An hour later the communication dropped, but phase 1 and phase 2 were up. So configurations are fine.
thanks
John
