VyOS version: 1.4-rolling-202204270217
Hello,
For some reason, my IPSec connection fails and go down several times a day. The IKE remains UP. Do you know why this could happen? How can I troubleshoot this behaviour please?
Thank you for your help,
What are phase1 and phase2 lifetimes?
Hello,
Thanks for your answer.
Phase 1 lifetime is 86400
(set vpn ipsec ike-group ike-local-remote lifetime ‘86400’)
Phase 2 = 3600
(set vpn ipsec esp-group esp-local-remote lifetime ‘3600’)
Then phase1 stays up for 24h , and phase2 only for single hour.
afaik, a new phase2 session should start, before old one expires. So timers are OK.
Phase1 shows as up, but is it? DPD can detect if it really is. Try enabling it
Hi,
DPD is enabled as follows:
set vpn ipsec ike-group ike-local-remote dead-peer-detection action ‘clear’
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout ‘90’
In the meantime, I updated IPSec lifetime to 8 hours and it seems stable.
Setting to 8 hours makes issue less prominent, as phase2 now is up way longer, resulting in less complaints.
Maybe for some reason setup of tunnel only works one-way.
As workaround , forcing one side responder, the other initiator can help.
I changed back the ipsec lifetime to 1h on both side and removed the passive mode in Palo side and it seems to work like that.
Ok so as it is stable now I can conclude that the issue was due to the Passive mode setting enabled in Palo side. Once disabled, it is stable.
Thank you for your help on that issue,
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.