BOVPN goes down/Disconnects Randomly using IKEv2 with a cisco peer.

Hi,
Firebox M370
WSM 12.3

I have a BOVPN to a cisco peer but suddenly and randomly the connection goes down and I need to disable/enable the Gateway in order for the VPN to connect again.
this is a part of the Log:
201.Local.IP is my Public IP
13.remote.ip is the remote peer ip.

Let me know if You need more information.
Thanks a lot.

2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)IkeFindIsakmpSAByP1saId: find P1 SA with src 201.local.ip dst 13.remote.ip p1saId:0x89ae34e6, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_IkeSAGet_ByAddr: find IkeSA with src 201.local.ip dst 13.remote.ip p1saId 0x89ae34e6, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ikeConnMatched: srcAddr:201.local.ip/201.local.ip, dstAddr:13.remote.ip/13.remote.ip, srcPort:0/500, dstPort:0/500, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_BuildMsg_Payloads: Built IKEv2 IKE header payload. Total message length:28, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_EncapMsg: encrypt message as responder, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)create a request message retry object(0xc12258 name:DPD request, msgId:47, intval:4) successfully - obj_cnt:1/tot_cnt:1, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_free_pkt_payloads: free Unknown packet object, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)'DPD request' message created successfully. length:60, pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Sent out DPD request message (msgId:47) from 201.local.ip:500 to 13.remote.ip:500 for 'Gateway to Azure' gateway endpoint successfully., pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:17
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ikeSA(0xc1f8d8)'s msgIdSend is updated: 47 -> 48, pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:21
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2DpdRetransCb: sending out DPD R_U_THERE message to peer(13.remote.ip:500), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:21
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Remote gateway 'Gateway to Azure' with IP 13.remote.ip:500 did not send DPD R_U_THERE_ACK message back. 5 retries left, pri=4, proc_id=iked, msg_id=
2019-10-22 07:20:21
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Resending DPD request message (id:47) from '201.local.ip:500' to '13.remote.ip:500'. Gateway-Endpoint:'Gateway to Azure', pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:24
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2DpdRetransCb: sending out DPD R_U_THERE message to peer(13.remote.ip:500), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:24
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Remote gateway 'Gateway to Azure' with IP 13.remote.ip:500 did not send DPD R_U_THERE_ACK message back. 4 retries left, pri=4, proc_id=iked, msg_id=
2019-10-22 07:20:24
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Resending DPD request message (id:47) from '201.local.ip:500' to '13.remote.ip:500'. Gateway-Endpoint:'Gateway to Azure', pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:28
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2DpdRetransCb: sending out DPD R_U_THERE message to peer(13.remote.ip:500), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:28
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Remote gateway 'Gateway to Azure' with IP 13.remote.ip:500 did not send DPD R_U_THERE_ACK message back. 3 retries left, pri=4, proc_id=iked, msg_id=
2019-10-22 07:20:28
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Resending DPD request message (id:47) from '201.local.ip:500' to '13.remote.ip:500'. Gateway-Endpoint:'Gateway to Azure', pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:32
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2DpdRetransCb: sending out DPD R_U_THERE message to peer(13.remote.ip:500), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:32
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Remote gateway 'Gateway to Azure' with IP 13.remote.ip:500 did not send DPD R_U_THERE_ACK message back. 2 retries left, pri=4, proc_id=iked, msg_id=
2019-10-22 07:20:32
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)Resending DPD request message (id:47) from '201.local.ip:500' to '13.remote.ip:500'. Gateway-Endpoint:'Gateway to Azure', pri=6, proc_id=iked, msg_id=
2019-10-22 07:20:33
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_IkeSAGet_BySPI: find IkeSA by SPI (Init: 0xe9faba2a Resp: 0x0), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)ike2_IkeSAGet_ByDetails: the ikeSA list is empty, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)parse and validate the received SA payload (0x8fa970), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)validating proposal[$1]'s 4 transform(s), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
Diagnostic
FWStatus, (201.local.ip<->13.remote.ip)validating proposal[$2]'s 4 transform(s), pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
FWStatus, (201.local.ip<->13.remote.ip) nextPayload:43, pri=7, proc_id=iked, msg_id=
2019-10-22 07:20:33
FWStatus, (201.local.ip<->13.remote.ip) reserved:0x0, pri=7, proc_id=iked, msg_id=

Comments

  • LATER in the same LOG:

    FWStatus, (201.local.ip<->13.remote.ip)Adding IKEv2 V payload to packet object. data:0xbf37d8 length:24, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'Gateway to TPL' IKE policy peer IP NOT matched. Continuing to find policy with matching peer IP., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'Gateway to RS*1' IKE policy peer IP NOT matched. Continuing to find policy with matching peer IP., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'Gateway to RS' IKE policy peer IP NOT matched. Continuing to find policy with matching peer IP., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'Gateway to Mty' IKE policy peer IP NOT matched. Continuing to find policy with matching peer IP., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'GateWay to Laser' IKE policy peer IP NOT matched. Continuing to find policy with matching peer IP., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike_match_if_name: Match pcy [Gateway to Azure] dev:eth1, pkt if[3]:eth1, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)'Gateway to Azure' IKE policy matched with correct peer IP and In-If. matchFlags:0x00000005, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)create a new IkeV2SA(0xc208e8) successfully, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)start the lifetime timer for ikeV2SA (0xc208e8), pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_print_pkt: dumping the ike2 pkt - IKE_SA_INIT request, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)payload order: [ SA KE NONCE N N V V V V], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)paylods:, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[SA]: adress:0xba1308, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[KE]: adress:0xba1848, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[NONCE]: adress:0xba7ba8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[N(NAT_DETECTION_SOURCE_IP)]: adress:0xbdd158, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[N(NAT_DETECTION_DESTINATION_IP)]: adress:0xbeb8f8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[V]: adress:0xba2918, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[V]: adress:0xbb3ed8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[V]: adress:0xbef3c8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[V]: adress:0xbf37d8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)processing received IKE_SA_INIT request message, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_Process_SAInit_Request: --> , pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ikeConnMatched: srcAddr:201.local.ip/201.local.ip, dstAddr:13.remote.ip/13.remote.ip, srcPort:500/500, dstPort:500/500, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: try to find the matched transforms from the received proposal[1], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: try to find the matched transforms from the received proposal[2], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: try to find the matched transforms from the received proposal[3], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: try to find the matched transforms from the received proposal[4], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: try to find the matched transforms from the received proposal[5], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_findIkeProposal: found the matched transforms from the received proposal[5]:[prop-num:5 proto-id:1 auth-method:2 auth-alg:2 encr-alg:3 encr-key-len:0 DH-group:2 life-time:28800 life-KB:0], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)need to process the received notify payloads (2), pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Received N(NAT_DETECTION_SOURCE_IP)(16388) for 'Gateway to Azure' gateway endpoint. Length:20, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Received N(NAT_DETECTION_DESTINATION_IP)(16389) for 'Gateway to Azure' gateway endpoint. Length:20, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)need to process the received vendor id payloads (4), pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Building IKE_SA_INIT response message..., pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Adding IKEv2 SA payload to packet object. data:0xc131a8 length:44, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ikeComputePKCryptoPublicKey: DH-Group:2 keDataBufLen:1024 pDh->uiPrimeLen:128 usTempLen:128 (pDh->uiPrimeLen - usTempLen):0 *pOutKEDataLen:128, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Computed KE data. Length:128 DH-Group:2, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)Adding IKEv2 KE payload to packet object. data:0xba7058 length:136, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_print_pkt: dumping the ike2 pkt - IKE_AUTH request, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)payload order: [ IDi AUTH SA TSi TSr], pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)paylods:, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[SA]: adress:0xbef3c8, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[IDi]: adress:0xbeae88, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[AUTH]: adress:0xbcba88, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[TSi]: adress:0xba6138, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)[TSr]: adress:0xb86298, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)processing received IKE_AUTH request message, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33
    FWStatus, (201.local.ip<->13.remote.ip)ike2_Process_AuthRequest:-->, pri=7, proc_id=iked, msg_id=
    2019-10-22 07:20:33

  • You really should open a support incident on this

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @eqcrbs03

    I'd suggest opening a case for this, like bruce said. If you have access to the logs on the cisco side, that could be useful for the case as well.

    My best guess based on what we're seeing is that one side could be timing out -- but we'd generally see a teardown request if that happened.

    -James Carson
    WatchGuard Customer Support

  • I'll do, thank you gentlemen.

Sign In to comment.