Hot!Progress IPsec Phase 2 Failure

Author
MotorOil
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/04 10:05:09
  • Status: offline
2014/12/05 08:20:16 (permalink)
0

Progress IPsec Phase 2 Failure

We are running a 800C and are getting a IPsec Phase 2 error every hour (Key Lifetime set to 3600 on both ends).  Build v5.2.1,build618
 
Our connection is in-house to Amazon's data center (VPC connection for those familiar).  We have been able to duplicate the error on a test connection and have tried several settings to make it go away.  Turning off DPD, extending key lifetime (not adjustable on Amazon's end). 
#1

9 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2014/12/05 08:26:22 (permalink)
    0
    That's probably okay, is the VPN staying up? or during the rekey are you having to do anything manual?

    PCNSE 
    NSE 
    StrongSwan  
    #2
    MotorOil
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/12/04 10:05:09
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2014/12/05 08:32:16 (permalink)
    0
    drops for 15 to 30 seconds and reconnects on its own.
    #3
    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2014/12/05 09:05:40 (permalink)
    0
    That's not good. So is this a phase2 re-key or a phase1 re-key? ( monitor you phase1  SA SPI at the 1 hr mark )
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    MotorOil
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/12/04 10:05:09
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2014/12/05 09:31:59 (permalink)
    0
    Phase 1 is fine, only the phase 2 is failing every hour.  Causes a disconnect of our key systems and staff needing to reconnect every hour....

    Attached Image(s)

    #5
    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2014/12/07 01:41:58 (permalink)
    0
    So how do you have the phase2 set in the cfg and mainly for the below items?
     

     
    set auto-negotiate disable
    set keepalive enable
    set keylife-type seconds
    set keylifeseconds 3600
     

     
     
    This sounds like a phase2-keylife not matched or being honored.
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Alex K
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/04/24 19:51:16
    • Location: FL
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2016/05/02 08:12:49 (permalink)
    0
    Hi!
     
    Sorry for resurrecting this old thread but it looks like I'm having similar symptoms between Fortigate 100D and Amazon VPC.
     
    In Log & Report->VPN Events every now and then I see negotiate failure messages "progress IPsec phase 2", Direction=inbound, Role=responder, RemotePort=500. It looks like the tunnel is always up and I have no problems pinging hosts from both ends, but since this new setup is not rolled out to users yet, I can't really say if it will be stable.
    What I also noticed was that I could RDP into servers in Amazon without any issues. However, when I try to RDP from Amazon back to premises, it works, but every 2-3-4th time, meaning that in first several attempts I get a standard RDP connection error. During RDP failures, I can ping hosts fine.
     
     
    #7
    linfante
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/19 12:49:20
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2017/09/20 07:01:34 (permalink)
    0
    Bump.
     
    Was there ever a solution to this? We are having the exact same issue. Pretty sure it's key lifetime as the VPN error messages happen every hour at the same time. FG800 and FG100 IPSec VPN to AWS as well.
    #8
    Okabe
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/02/22 20:19:42
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2018/03/14 00:18:09 (permalink)
    0
    double BUMP!
     
    This thread is 4 years old and does anyone already come out with a solution? 
    #9
    mahmoud nasef
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/14 04:10:42
    • Status: offline
    Re: Progress IPsec Phase 2 Failure 2020/01/14 04:11:53 (permalink)
    0
    Triple BUMP!
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5