IPSec can’t connect for a long time after USG3000 restart

Publication Date:  2012-11-01 Views:  255 Downloads:  0
Issue Description
USG3000 equipment restart (cannot be reset or broken line), the tunnel established with USG50 before restarted didn’t disappear in a long time, cause the clients under USG50 can’t connect the clients under USG3000 when the USG3000 completed to start, need to use “reset Ike sa x” (x represents serial number) in USG50, and then can connect.
Alarm Information
None.
Handling Process
Check the configuration of USG3000 and USG50:
Found the USG3000 has been configured:
    ike sa keepalive-timer interval 30  
    ike sa keepalive-timer timeout 90    (default is 24 hours)
    But there is no this configuration in USG50, so “ike sa keepalive-timer timeout” default is 24 hours, lead to ike need 24 hours to reconnect.
Therefore, in USG50 add the configurations as follows:
    ike sa keepalive-timer interval 30  
    ike sa keepalive-timer timeout 90
    Problems can be solved.
Root Cause
From the phenomenon, after restart USG3000 equipment, the tunnel on USG3000will be emptied, but the tunnel session in the peer end USG50 has been keeping no released, so need to manually reset tunnel conversation to release, and finally to establish the connection.
Suggestions
Suggest automatic enable after enabled IKE:
ike sa keepalive-timer interval 30  
ike sa keepalive-timer timeout 90(Unit is second)

END