BOVPN Virtual Interface - diag

cloudcloud
in Firebox - VPN Branch Office

2020-07-22 09:48:43 iked (xxx.xxx.xxx.A<->xxx.xxx.xxx.B)IKE phase-2 negotiation from xxx.xxx.xxx.A:500 to xxx.xxx.xxx.B failed. Tunnel='BovpnVif.1' Reason=Message retry timeout. Check VPN IKE diagnostic log messages for more information.

2020-07-22 09:48:43 iked (xxx.xxx.xxx.A<->xxx.xxx.xxx.B)Did not receive response for QM msgId:0x9114bbd0

2020-07-22 09:49:04 iked (xxx.xxx.xxx.A<->xxx.xxx.xxx.B)Critical Error! - could not locate the IN and OUT SPSAItems

Could someone explain me what each of thoes lines means, like technicaly and what should be done to resolve problem ?

Comments

  • Bruce_BriggsBruce_Briggs

    retry timeout - timeout is a non-response after a selected time. retry happens after the initial access does not get a response.

    Did not receive response - what it says.

    Contact the other end to see what is going on here. The other end is not responding to the BOVPN IKE packets from XTM.

  • PumaPuma
    Hi, could you please explain reason of last line Critical Error! - could not locate the IN and OUT SPSAItems, same error for me. What does it means?
    how I can debug it on WG or in other end? Thanks
  • Bruce_BriggsBruce_Briggs

    Most likely:
    SP = Security Policies
    SA = Security Associations

    Verify that the Phase 2 setting match at each end.

    If you have not done so already, you can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

Sign In to comment.