Hello,
I configured a site to site vpn with my customer who has fortinet firewall.
We are running juniper netscreen with os 6.3.
This tunnel is running well for some days(say 4-5 days) and then we are facing problems with the reconnecting or rekeying and we have to clear the tunnel manually to make it running again otherwise it is not forwarding packets any longer.
We receive following messages on FW during this time.
2012-02-23 15:59:37 system info 00536 IKE x.x.x.x Phase 2 msg ID
c3b0d257: Completed negotiations with
SPI 99fa83c0, tunnel ID 393283, and
lifetime 86400 seconds/0 KB.
2012-02-23 15:59:37 system info 00536 IKE x.x.x.x phase 2:The
symmetric crypto key has been
generated successfully.
2012-02-23 15:59:37 system info 00536 IKE x.x.x.x Phase 2 msg ID
c3b0d257: Responded to the peer's
first message.
2012-02-23 15:59:02 system info 00536 IKE x.x.x.x Phase 2 msg ID
ee09f563: Completed negotiations with
SPI 99fa83be, tunnel ID 393282, and
lifetime 86400 seconds/0 KB.
2012-02-23 15:59:02 system info 00536 IKE x.x.x.x phase 2:The
symmetric crypto key has been
generated successfully.
2012-02-23 15:59:02 system info 00536 IKE x.x.x.x Phase 2 msg ID
ee09f563: Responded to the peer's
first message.
2012-02-23 15:59:02 system notif 00017 VPN mt-ag-pironet-vpn with gateway
mt-ag-pironet-x.x.x.x and P2
proposal 3DES-MD5-ESP-86400 has been
modified by coltadmin via web from
host 172.27.3.3 to 172.27.1.193:443.
2012-02-23 14:10:47 system info 00536 IKE x.x.x.x Phase 2 msg ID
0e8e570d: Completed negotiations with
SPI 99fa826a, tunnel ID 393283, and
lifetime 86400 seconds/0 KB.
2012-02-23 14:10:47 system info 00536 IKE x.x.x.x phase 2:The
symmetric crypto key has been
generated successfully.
2012-02-23 14:10:47 system info 00536 IKE x.x.x.x Phase 2 msg ID
0e8e570d: Responded to the peer's
first message.
2012-02-23 14:08:57 system info 00536 IKE x.x.x.x Phase 2 msg ID
f457d2fb: Completed negotiations with
SPI 99fa8264, tunnel ID 393282, and
lifetime 86400 seconds/0 KB.
2012-02-23 14:08:57 system info 00536 IKE x.x.x.x phase 2:The
symmetric crypto key has been
generated successfully.
2012-02-23 14:08:57 system info 00536 IKE x.x.x.x Phase 2 msg ID
f457d2fb: Responded to the peer's
first message.
2012-02-23 14:00:31 system info 00536 IKE x.x.x.x Phase 1: Completed
Main mode negotiations with a
86400-second lifetime.
2012-02-23 14:00:31 system info 00536 IKE x.x.x.x phase 1:The
symmetric crypto key has been
generated successfully.
2012-02-23 14:00:31 system info 00536 IKE x.x.x.x Phase 1: Responder
starts MAIN mode negotiations.
2012-02-22 19:34:03 system info 00536 IKE x.x.x.x Phase 2 msg ID
818b301a: Completed negotiations with
SPI 99fa749e, tunnel ID 393281, and
lifetime 86400 seconds/0 KB.
2012-02-22 19:34:03 system info 00536 IKE x.x.x.x phase 2:The
symmetric crypto key has been
generated successfully.
2012-02-22 19:34:03 system info 00536 IKE x.x.x.x Phase 2 msg ID
818b301a: Responded to the peer's
first message.
Total entries matched = 19
I have attached the log files from Fortinet as well.
X.X.X.X = our public IP address
Y.Y.Y.Y = customer Ip address
Following is what technician at our custoemr side observed:
2012-02-21 | 10:43 h: VPN Tunnel has disconnected on Fortinet side
reason: LifeTime (8h Intervall) has exceeded
recommended action: Tunnel has to rekey with new identifier
2012-02-21 | 10:43 h – 2012-02-21 | 13:48 h: no entry in Log-File
2012-02-21 | 13:48 h - 2012-02-21 | 14:10 h: Juniper tries to reconnect the tunnel with “old” identifier
2012-02-21 | 14:10 h: Juniper forbids communication with peer
Tunnel (beide Phasen) down
2012-02-21 | 14:10 h: after manual reset the VPN tunnel comes up again and works fine