Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-2-Site VPN routes not deleted or added on reconnect - error 2

LHerzog

Hi,

we're having an issue for a XG106 HA connecting to UTM HA with IPSec. Case 03444132.

Whenever the tunnel gets interrupted, the XG will reconnect but *some" of the routes to the remote side of the tunnel will not work until we disable and enable the tunnel on the XG side. Also a second interruption will fix it.

In the strongswans logs we found this errors on XG side and I would like to know if this NC-61092 [IPsec] Strongswan not creating default route in table 220 may be exaclty about this issue.


Tunnel interrupted:

2020-12-07 07:44:48 24[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route del 100.100.123.0/24 dev ipsec0 src 200.200.48.129 table 220': success 0
2020-12-07 07:44:50 24[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route del 100.100.123.0/24 dev ipsec0 src 200.200.48.1 table 220': error returned 2
2020-12-07 07:44:51 24[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route del 100.100.123.0/24 dev ipsec0 src 100.100.100.1 table 220': error returned 2
 

Tunnel first interrupted

2020-12-07 07:46:12 32[APP] <Tunnel_Name-1|1600> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (200.200.48.128/26#100.100.123.0/24)
2020-12-07 07:46:13 24[APP] <Tunnel_Name-1|1600> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (200.200.48.0/26#100.100.123.0/24)
2020-12-07 07:46:13 31[APP] <Tunnel_Name-1|1600> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (100.100.100.2/32#100.100.123.0/24)
2020-12-07 07:46:19 29[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 200.200.48.129 table 220': success 0
2020-12-07 07:46:22 29[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 200.200.48.1 table 220': error returned 2
2020-12-07 07:46:22 29[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 100.100.100.1 table 220': error returned 2

Tunnel second interrupted

2020-12-11 12:54:34 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 200.200.48.1 table 220': success 0
2020-12-11 12:54:35 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 200.200.48.129 table 220': error returned 2
2020-12-11 12:54:40 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route add 100.100.123.0/24 dev ipsec0 src 100.100.100.1 table 220': error returned 2



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    What is the current firmware version on your firewall? 

    Could you please check the IPsec policy on both firewalls? Check if there is a mismatching authentication algorithm selected in Phase 2 on UTM. 

    You can check the IPsec routes by running the following command from the advanced shell: ip route show table 220

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    it's 18 MR1 and the VPN settings match.

    I think I can only reproduce it by unplugging the ISP router. Disabling the tunnel on one side and waiting for dead link detection does not reproduce the error.

Reply Children