IPSec Tunnel Down vs Lifetime Rekey
-
All system logs are sent to our logging server. Using system logs I am looking for a way to identify that an IPSec tunnel is down vs the lifetime just rekeying. The events look very similar:
April 8th 2019, 03:58:45.000 13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETING => DELETED April 8th 2019, 03:58:45.000 13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETED => DESTROYING April 8th 2019, 03:58:45.000 13[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYED => DELETING April 8th 2019, 03:57:42.000 14[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYING => REKEYED April 8th 2019, 03:57:42.000 14[CHD] <con1000|51> CHILD_SA con1000{410} state change: INSTALLING => INSTALLED April 8th 2019, 03:57:42.000 14[CHD] <con1000|51> CHILD_SA con1000{410} state change: CREATED => INSTALLING April 8th 2019, 03:57:41.000 14[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLED => REKEYING April 8th 2019, 03:00:12.000 09[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLING => INSTALLED April 8th 2019, 03:00:12.000 09[CHD] <con1000|51> CHILD_SA con1000{409} state change: CREATED => INSTALLING April 8th 2019, 02:57:26.000 09[IKE] <con1000|51> IKE_SA con1000[51] state change: CONNECTING => ESTABLISHED April 8th 2019, 02:57:25.000 05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DELETING April 8th 2019, 02:57:25.000 05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DESTROYING April 8th 2019, 02:57:25.000 09[IKE] <51> IKE_SA (unnamed)[51] state change: CREATED => CONNECTING April 8th 2019, 02:57:25.000 05[IKE] <con1000|50> IKE_SA con1000[50] state change: ESTABLISHED => DELETING April 8th 2019, 02:57:25.000 05[CHD] <con1000|50> CHILD_SA con1000{408} state change: INSTALLED => DESTROYING
Has anyone identified a way to decipher between the two events using just the logs? Thanks!