Peer Device (60.247.x.y)-----------(IPSec)---------------Firewall
The firewall established an IPSec VPN tunnel with the peer (60.247.x.y). A client (10.217.18.97) served by the peer needed to back up a large amount (about 20 GB) of data to a client served by the local firewall every weekend. After a period (several hours) of transmission, the connection was interrupted and then recovered after a period. Other services were normal.
1. The IPSec tunnel information was displayed and the negotiations were normal.
HRP_M<USG-1> display ike sa
288342 60.247.x.y RD v1:2 public
288339 60.247.x.y RD v1:2 public
288338 60.247.x.y RD v1:2 public
288337 60.247.x.y RD v1:2 public
288336 60.247.x.y RD v1:2 public
288335 60.247.x.y RD v1:2 public
288334 60.247.x.y RD v1:2 public
288332 60.247.x.y RD v1:2 public
288331 60.247.x.y RD v1:2 public
288288 60.247.x.y RD|D v1:1 public
The obtained information indicated that IKEv1 negotiation was used on the live network.
2. Service interruption is usually caused by tunnel disconnection, and automatic service recovery indicates that the tunnel can be renegotiated.
3. Based on the previous fault locating
1) A ping test was performed to check whether the tunnel disconnection was caused by congestion, and the result ruled out the cause of congestion.
2) The fault always occurred during large-volume data backup. Therefore, the fault must be related to traffic volume. The IPSec SA lifetime can be by time or traffic volume. If the traffic-based SA lifetime expires, the tunnel is disconnected.
4. The firewall was the responder and the peer is the initiator in IKEv1 negotiation, and only the initiator can initiate negotiation. Moreover, the incoming traffic volume is used as the SA lifetime. During data backup, a large volume of traffic entered the firewall, causing the expiration of the SA lifetime and the subsequent tunnel disconnection. Moreover, the firewall cannot initiate a renegotiation, causing the service interruption.
As the responder in IKEv1 negotiation, the firewall cannot initiate renegotiation after the tunnel is disconnected due to the expiration of a traffic-based SA lifetime.
Disable the traffic-based SA lifetime in IPSec policy view as follows:
ipsec policy 1 1 isakmp
undo sa duration traffic-based enable