BR-100 can not create new vpn tunnel to CVG

  • 1
  • Question
  • Updated 2 years ago
  • Answered
I have almost 40 BR-100/200s placed in Branch sites with vpn tunnels. But sometimes when adding a new BR-100 router the tunnel can not be established, even though the config is identical to the others exept for the local subnet of course. I can newer get the profile to work by changing anything in it but sometimes I can get it to work just by creating a new profile with a new local subnet. any ideas ?
the log does not say much
2014-11-18 10:05:53:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:05:53:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:05:53:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:05:53:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:07:53:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:07:53:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:07:54:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:07:54:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:08:54:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:08:54:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:08:55:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:08:55:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:09:56:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:09:56:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:09:56:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:09:56:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:11:56:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:12:04:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:12:05:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:12:05:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:13:05:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:13:05:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:13:06:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:13:06:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:15:06:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:15:07:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:15:08:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:15:08:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:17:09:Phase 1 deleted(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:17:17:Phase 1 started(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:17:17:Phase 1 established(192.168.12.167[4500]->212.55.61.150[4500])
2014-11-18 10:17:17:Xauth exchange start(192.168.12.167[4500]->212.55.61.150[4500])
Photo of Petur Piddi Olsen

Petur Piddi Olsen

  • 3 Posts
  • 0 Reply Likes
  • frustrated

Posted 4 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Petur,
Xauth is the mutual authentication that occurs between IPSec phase 1 tunnel establishment and phase 2. So the authentication of your new branch office router is the problem area. The fact that you can make this succeed by changing the local subnet at that branch makes me think this is an identity collision.

I don't know the specific debug commands you would use to confirm this and narrow down the investigations, but I am certain that our excellent tech support staff will be able to assist you (or your reseller, if you don't have a support contract with us) in getting to the bottom of this.
Photo of Petur Piddi Olsen

Petur Piddi Olsen

  • 3 Posts
  • 0 Reply Likes
First, I am a reseller and the support in Scandinavia is not something to bragg about, I miss the old support system.
All BR routers have different names and have different subnets and vlans. The management network is the same for all routers. Some work, some don't. The profiles are set up identical, using the same NTP and DNS settings etc. Only the SSID is cloned, the rest is done manually.
Photo of Mike Z

Mike Z

  • 8 Posts
  • 2 Reply Likes
I had a similar issue, when moving a BR from one CVG to another, though one had the problem while another did not, so it was inconsistent.  The only fix was to apply a complete config to the new CVG, which triggers a reboot and brief disconnection of all my BRs, which is not acceptable.

Does anyone have any information on how xauth works in the Aerohive environment?

Aerohive support says there is not documentation and has not been very helpful overall.