Options

IKEv2 users on Mac OSx Sequoia disconnect randomly

LeonidLeonid
in Firebox - VPN Mobile User

Hi,
I experience random disconnections of Mac Sequoia users using IKEV2 protocol. The symptoms include dropping connection to internet, while Mac osx client shows "connected" state. This is what firebox shows at the time around disconnection (xxx.90 - Firebox IP, xxx.58 - mine)
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Send last IKE_AUTH exchange to client:xxx.xxx.xxx.58:4500. IKE-Policy:'WG IKEv2 MVPN'
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)It is a zero route tunnel
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)MOBIKE: support MOBIKE, include N(MOBIKE_SUPPORTED)
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)'IKE_AUTH response' message created successfully. length:240
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Sent out IKE_AUTH response message (msgId=5) from xxx.xxx.xxx.90:4500 to xxx.xxx.xxx.58:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully.
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeSA(0x21c803c8)'s msgIdRecv is updated: 5 -> 6
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)download SPs now, since the client ip is learned as xxx.xxx.xxx.58, ikePcy(WG IKEv2 MVPN)
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)******action=ACTION_ADD_SP, ipsecPcyName=WG IKEv2 MVPN keyMode:2 vpnType:2 installedSP:3
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)IPSec SP downloaded for Gateway-Endpoint['WG IKEv2 MVPN' local:xxx.xxx.xxx.90 remote:xxx.xxx.xxx.58:4500] Tunnel['WG IKEv2 MVPN' saddr:0 daddr:10.0.1.1/24-10.0.1.1/24] installedSP:6
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)'WG IKEv2 MVPN' MUVPN IPSec tunnel is established. local:0 remote:0 in-SA:0x64efb618 out-SA:0x0e7985b3 role:responder msg_id="0207-0001"
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)childState(0x21c7e1d8) state change: CREATED ==> MATURE, reason: "Installed Child SAs Successfully"
2025-07-28 00:19:58 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)childState(0x21c7e1d8) state change: MATURE ==> DEL, reason: "Free the Child State"
2025-07-28 00:20:08 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)stop the given response retry object(0x21ce7288, name="IKE_AUTH response", msgId=5)
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeDoDdpAction: received INIT_DPD message for SA dir:OUT spi:0x0e7985b3
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeDoDdpAction: received INIT_DPD message for SA. dir:OUT IKE-said:29572b68 ike-policy:'WG IKEv2 MVPN'
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)'DPD request' message created successfully. length:80
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Sent out DPD request message (msgId=0) from xxx.xxx.xxx.90:4500 to xxx.xxx.xxx.58:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully.
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeSA(0x21c803c8)'s msgIdSend is updated: 0 -> 1
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)******** RECV an IKE packet at xxx.xxx.xxx.90:4500(socket=15 ifIndex=4) from Peer xxx.xxx.xxx.58:4500 ********
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Received IKEv2 "INFO response" message with message-ID:0 length:80 SPI[i=2185479e6747d915 r=be97990b306582ec]
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)"INFO response" message has 1 payloads [ ENCR(sz=52)]
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Got IKE policy 'WG IKEv2 MVPN' from ikeSA(0x21c803c8)
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)"INFO response" message has 0 payloads []
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)IKEv2 "INFO response"'s decrypted message contains 0 payloads []
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)dispatch the received INFO response message - IkeSA(0x21c803c8)'s state=MATURE
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Received the DPD response from xxx.xxx.xxx.58:4500 for gateway(WG IKEv2 MVPN), msgId=0
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ike2_P1StatusChange: no need to do the multiwan check for the non-BOVPN policy(WG IKEv2 MVPN)
2025-07-28 00:22:24 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)stop the retry object(0x21ce7288) for the previous request message(name=DPD request, msgId=0)
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeDoDdpAction: received INIT_DPD message for SA dir:OUT spi:0x0e7985b3
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeDoDdpAction: received INIT_DPD message for SA. dir:OUT IKE-said:29572b68 ike-policy:'WG IKEv2 MVPN'
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)'DPD request' message created successfully. length:80
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Sent out DPD request message (msgId=1) from xxx.xxx.xxx.90:4500 to xxx.xxx.xxx.58:4500 for 'WG IKEv2 MVPN' gateway endpoint successfully.
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ikeSA(0x21c803c8)'s msgIdSend is updated: 1 -> 2
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)******** RECV an IKE packet at xxx.xxx.xxx.90:4500(socket=15 ifIndex=4) from Peer xxx.xxx.xxx.58:4500 ********
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Received IKEv2 "INFO response" message with message-ID:1 length:80 SPI[i=2185479e6747d915 r=be97990b306582ec]
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)"INFO response" message has 1 payloads [ ENCR(sz=52)]
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Got IKE policy 'WG IKEv2 MVPN' from ikeSA(0x21c803c8)
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)"INFO response" message has 0 payloads []
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)IKEv2 "INFO response"'s decrypted message contains 0 payloads []
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)dispatch the received INFO response message - IkeSA(0x21c803c8)'s state=MATURE
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)Received the DPD response from xxx.xxx.xxx.58:4500 for gateway(WG IKEv2 MVPN), msgId=1
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)ike2_P1StatusChange: no need to do the multiwan check for the non-BOVPN policy(WG IKEv2 MVPN)
2025-07-28 00:24:02 iked (xxx.xxx.xxx.90<->xxx.xxx.xxx.58)stop the retry object(0x21ce7288) for the previous request message(name=DPD request, msgId=1)

Any thoughts?
Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Leonid
    I'd suggest creating a support case so that we can take a closer look. The logs are just suggesting there might be a problem with DPD (dead peer detection) but doesn't really outline what the problem is.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.