IPsec fault occurred in E1000E

Publication Date:  2013-07-29 Views:  331 Downloads:  0
Issue Description
E1000E:V2R6C00SPC100
The remote device is juniper FW.

The IPSEC tunnel restarts around every 30 minutes. 
Alarm Information
no alarm.
Handling Process
1. I found the error warning like this, so please check the security ACL of the two sites and make sure they are strict match to each other.
%2013-07-21 04:49:02 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
%2013-07-21 04:48:20 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
%2013-07-21 04:48:10 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.

when correct the ACL configuration , the problem still not solved.

As we checked the trapbuffer carefully , we found that the tunnels restart around every 30  minutes  not 30 seconds. So could you please inform me the exactly phenomenon about that.

And the time of the tunnels to restart is according to the negotiating of the two devices, and each device has a time-out time ,the final time-out time will choose the minor one of the two devices. E1000E has a default time-out time as 60 minutes, so please check the configuration of  remote device if the tunnels restart every 30 minutes.

If you want the connections always up , you can modify like this on our FWs(NOTICE:the duration must be modified on the remote devices too  ):
<sysname> system-view
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1] sa duration time-based XXXX (the largest is 604800s)
<sysname> system-view
[sysname] ipsec policy policy2 1 isakmp
[sysname-ipsec-policy-isakmp-policy2-1] sa duration traffic-based xxxx (the largest is 4194303Kb)

When modified the configuration of thetime-out time of tunnel of  both sites, the problem solved. 
Root Cause
Probably reason:
1.dpd fault.
2. ACL mismatch.
3. time-out time is 30 minutes.
Suggestions
When troubleshooting the problem like IPSEC, we should check both sites of the configuration and keep the same.

END