Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Tunnel Down vs Lifetime Rekey

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 272 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jnpetty
      last edited by

      All system logs are sent to our logging server. Using system logs I am looking for a way to identify that an IPSec tunnel is down vs the lifetime just rekeying. The events look very similar:

      April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETING => DELETED
April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETED => DESTROYING
April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYED => DELETING
April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYING => REKEYED
April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{410} state change: INSTALLING => INSTALLED
April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{410} state change: CREATED => INSTALLING
April 8th 2019, 03:57:41.000	14[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLED => REKEYING

April 8th 2019, 03:00:12.000	09[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLING => INSTALLED
April 8th 2019, 03:00:12.000	09[CHD] <con1000|51> CHILD_SA con1000{409} state change: CREATED => INSTALLING

April 8th 2019, 02:57:26.000	09[IKE] <con1000|51> IKE_SA con1000[51] state change: CONNECTING => ESTABLISHED
April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DELETING
April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DESTROYING
April 8th 2019, 02:57:25.000	09[IKE] <51> IKE_SA (unnamed)[51] state change: CREATED => CONNECTING
April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: ESTABLISHED => DELETING
April 8th 2019, 02:57:25.000	05[CHD] <con1000|50> CHILD_SA con1000{408} state change: INSTALLED => DESTROYING

      Has anyone identified a way to decipher between the two events using just the logs? Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.