Why Does the Creation of a Security Tunnel or Communication over a Security Tunnel Fail on Unstable Networks When ACLs Are Correctly Configured at Both Ends and Matched IPSec Proposals Exist?
After a security tunnel is set up, the firewall at one end may be restarted. Run the display ike sa command to check whether IPSec SAs at phase 1 are already set up at both ends. Run the display ipsec sa policy command to check whether IPSec SAs are already applied to the interface. According to the results, if the SA at one end does not exist, run the reset ipsec sa and reset ike sa commands to clear incorrect SAs and re-launch the negotiation.