USG3000 peer end device unexpected restart causes the ipsec vpn service not to pass

Publication Date:  2012-12-06 Views:  291 Downloads:  0
Issue Description
User users USG3000 and USG50 compose point to point ipsec vpn, the networking way is as follows:
PC----USG3000-----internet------USG50----PC
After USG50 unexpected power outage, from USG3000 side launched ipsec vpn visiting service is not pass for a long time, can only from the USG50 side initiate ipsec vpn visit service.
Alarm Information
None.
Handling Process
1. This situation may through settings ike sa keepalive time to detect the state of ike sa, can then clear the sa which is not in alive state.
2. According to the user's application environment, sets “ike sa keepalive-timer interval 20” and “ike sa keepalive-timer timeout 60”. When the USG50 unexpected restarted, after waiting for about 1 minute, ipsec sa automatic undeploy on USG3000. New ipsec sa can establish normally.
Root Cause
1. IPSec sa default life cycle is 1 hour, the ike sa default life cycle is 24 hours. The USG50 unexpected restart, it is unable to alert USG3000 purge ipsec sa and ike sa, causes ipsec sa and ike sa on USG3000 have existed before the life cycle achieves.
2. The ipsec vpn visiting service initiated from the ipsec vpn side due to the data flow matched the original ipsec sa, causes the new ipsec sa is unable to establish.
Suggestions
When configuring ipsec vpn service, it is suggested to configure ike sa keepalive time to prevent the ipsec vpn service does not pass. When configuring ike-sa keepalive, we need to pay attention that the peer end must be our company’s device, otherwise it is unable to support the keepalive text that my department device sent out. 

END