VPN setup - CVG - BR100

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I experience strange behaviour of establishing VPN between CVG and BR100. I can see established phase 1, but some moments later connection just vanish. Any ideas why? 
If I connect BR100 to local network I can see established tunnel to CVG.

Many thanks for suggestions. 
Below are command outputs from CVG.

CVG-AH-b7361d#show vpn ike sa

ISAKMP SA Table:
ST=status(value meaning):
--------------------------
1: phase 1 start;
2: msg 1 received;
3: msg 1 sent;
4: msg 2 recived;
5: msg 2 sent;
6: msg 3 received;
7: msg 3 sent;
8: msg 4 received;
9: phase 1 established;
10: phase 1 expired;
S=Side(I=Initiator;R=Responder):V=Version:E=Etype
Created=ISAKMP SA created time;Phase2=Counter of phase 2 rekey
--------------------------------------------------------
Destination CookiesST S V E Created Phase2 Tunnel-ID
90.157.141.117[49444] 336abd7b10996f83:c869c23973926d70 9 R 10 M 2014-05-22 13:07:35 0 78
Total ISAKMP SA Entries: 1
CVG-AH-b7361d#show vpn ike sa
ISAKMP SA Table:
ST=status(value meaning):
--------------------------
1: phase 1 start;
2: msg 1 received;
3: msg 1 sent;
4: msg 2 recived;
5: msg 2 sent;
6: msg 3 received;
7: msg 3 sent;
8: msg 4 received;
9: phase 1 established;
10: phase 1 expired;
S=Side(I=Initiator;R=Responder):V=Version:E=Etype
Created=ISAKMP SA created time;Phase2=Counter of phase 2 rekey
--------------------------------------------------------
Destination CookiesST S V E Created Phase2 Tunnel-ID
90.157.141.117[49444] 336abd7b10996f83:c869c23973926d70 9 R 10 M 2014-05-22 13:07:35 0 78
Total ISAKMP SA Entries: 1
CVG-AH-b7361d#show vpn ike sa
ISAKMP SA Table:
ST=status(value meaning):
--------------------------
1: phase 1 start;
2: msg 1 received;
3: msg 1 sent;
4: msg 2 recived;
5: msg 2 sent;
6: msg 3 received;
7: msg 3 sent;
8: msg 4 received;
9: phase 1 established;
10: phase 1 expired;
S=Side(I=Initiator;R=Responder):V=Version:E=Etype
Created=ISAKMP SA created time;Phase2=Counter of phase 2 rekey
--------------------------------------------------------
Destination CookiesST S V E Created Phase2 Tunnel-ID
Total ISAKMP SA Entries: 0
Photo of Andrej Zimsek

Andrej Zimsek

  • 2 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Troubleshooting VPNs with Aerohive is quite simple. As we are pushing the same configuration to both the VPN client and the VPN server, if anything goes wrong it is really only on the IKE Phase 1. 

So I would suggest you looking at:
* networking problem (see if the devices can communicate to begin with), make sure that FW ports allow for IKE (UDP 500) and NAT transversal (UDP 4500).
* timing issue (show time and show clock will expose that).
* outdated certificates.



Photo of Andrej Zimsek

Andrej Zimsek

  • 2 Posts
  • 1 Reply Like
I found the problem. It was indeed time issue with br100 device. NTP server was set to internal NTP server. I set it to public NTP server and tunnel came up.