IPSec Tunnel Down vs Lifetime Rekey



  • All system logs are sent to our logging server. Using system logs I am looking for a way to identify that an IPSec tunnel is down vs the lifetime just rekeying. The events look very similar:

    April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETING => DELETED
    April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: DELETED => DESTROYING
    April 8th 2019, 03:58:45.000	13[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYED => DELETING
    April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{409} state change: REKEYING => REKEYED
    April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{410} state change: INSTALLING => INSTALLED
    April 8th 2019, 03:57:42.000	14[CHD] <con1000|51> CHILD_SA con1000{410} state change: CREATED => INSTALLING
    April 8th 2019, 03:57:41.000	14[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLED => REKEYING
    
    April 8th 2019, 03:00:12.000	09[CHD] <con1000|51> CHILD_SA con1000{409} state change: INSTALLING => INSTALLED
    April 8th 2019, 03:00:12.000	09[CHD] <con1000|51> CHILD_SA con1000{409} state change: CREATED => INSTALLING
    
    April 8th 2019, 02:57:26.000	09[IKE] <con1000|51> IKE_SA con1000[51] state change: CONNECTING => ESTABLISHED
    April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DELETING
    April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: DELETING => DESTROYING
    April 8th 2019, 02:57:25.000	09[IKE] <51> IKE_SA (unnamed)[51] state change: CREATED => CONNECTING
    April 8th 2019, 02:57:25.000	05[IKE] <con1000|50> IKE_SA con1000[50] state change: ESTABLISHED => DELETING
    April 8th 2019, 02:57:25.000	05[CHD] <con1000|50> CHILD_SA con1000{408} state change: INSTALLED => DESTROYING
    

    Has anyone identified a way to decipher between the two events using just the logs? Thanks!


Log in to reply