Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
4
Helpful
9
Replies

site to site issue

prashantrecon
Level 1
Level 1

‎11-18-2011 02:31 AM - edited ‎03-12-2019 06:02 PM

Hi All,

We have  site to site tunnel suddenly the tunnel got disconnected and we recieved error such as

IKE Peer: 196.25.48.3
     Type    : L2L             Role    : responder
    Rekey   :  yes             State   :  MM_ACTIVE_REKEY
  

IKE Peer:  196.25.48.3
     Type    : L2L             Role    : responder
    Rekey   :  no              State   :  MM_REKEY_DONE_H2

And after time  tunnel was up automotically.When confirmed to far end network admin no changes where made from there side.From our side no changes were made.

My question is there any other factors for tunnel down reason.

Labels:
0 Helpful
9 Replies 9

ajay chauhan
Level 7
Level 7

‎11-18-2011 05:22 AM

Should be related to SA life cycle  check both end if there is mismatch or very short duration is configured.

0 Helpful

prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎11-18-2011 05:36 AM

Hi Ajay

Now the tunnel is displaying as

  IKE Peer: 196.25.48.3

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

But the problem is we are not able to connect some remote machine as checked phase i is up and we have allowed ip range on firewall and there is no log when excuted show connection command.

Can u please suggest some command to check where the problem is there.

0 Helpful

ajay chauhan
Level 7
Level 7
In response to prashantrecon

‎11-18-2011 05:42 AM

I would suggest following-

1) check all parameters both end should be same for phase 1 and 2

2) check pfs setting if configured should be on both side also can be tested removing both end.

3) check crypto acl

4) show ipsec sa to check if some traffic going might be one way.

5) finally run the packet tracer command 

packet-tracer input inside 1024  80

it will show you what is happening in packet flow.

Thanks

Ajay

0 Helpful

prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎11-18-2011 06:07 AM

Hi Ajay,

Problem we are able to take remote of  one  machine But not able to take any another machine which are in same range.

when i excuted the command show crypto  ipsec sa encryped packets are increasing but decrypted packet remains same.

Is it problem is from far end?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to prashantrecon

‎11-18-2011 06:09 AM

yes might be pfs is on other side would suggest to take a look on remote .

0 Helpful

prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎11-18-2011 06:24 AM

Hi please suggest on above output

0 Helpful

ajay chauhan
Level 7
Level 7
In response to prashantrecon

‎11-18-2011 06:35 AM

looks like dropped by crypto acl please paste the config then only i can suggest something.

prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎11-18-2011 10:25 PM

Hi Ajay,

Issue is solved , there is some problem from far end.

Thanks

0 Helpful

ajay chauhan
Level 7
Level 7
In response to prashantrecon

‎11-18-2011 11:59 PM

Great

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card