Forum Discussion

Aspirant

Oct 07, 2017

VPN between 2 netgear routers keeps dropping

I am trying to set up a stable VPN tunnel between an FVS318G on one site, and an SRX5308 at another site. Both are connected to Xfinity modems, and both have stable internet connections, the SRX has ...

Troubleshooting

bzness

Aspirant

Oct 07, 2017

It gets weirder:

While I was writing the post above, the problem fixed itself !! I am posting below the log from the SRX. As you can see after a lengthy negotiation, the SRX ended up again with tunnels between the WAN addresses of the boxes, and lo and bhold, I can access data again. So, why would the SRX switch from the WAN address to the LAN address? I don't know too little about the intricacies of the VPN negotiations to follow the log from where it lost the WAN address to where it corrected itself, but someone must have seen this before. What is the problem here?

I have to split the log into 2 posts, as there is a limit on length.

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: Sending Informational Exchange: delete payload[]

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=4365434(0x429c7a)

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=131648604(0x7d8cc5c)

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: ** ext IP SRX **[0]<=>** ext IP FVS318 **[0]

Sat Oct 07 13:25:41 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=153273464(0x922c478)

Sat Oct 07 13:25:41 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=116393517(0x6f0062d)

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 2 negotiation: ** ext IP SRX **[0]<=>** ext IP FVS318 **[0]

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO: ISAKMP-SA established for ** ext IP SRX **[500]-** ext IP FVS318 **[500] with spi:070ddfe8d3a00374:177ee617632b23e6

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: NAT not detected

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: NAT-D payload matches for ** ext IP FVS318 **[500]

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: NAT-D payload matches for ** ext IP SRX **[500]

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: Received Vendor ID: KAME/racoon

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: For ** ext IP FVS318 **[500], Selected NAT-T version: RFC XXXX

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: Received Vendor ID: KAME/racoon

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: Received Vendor ID: DPD

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO: Received Vendor ID: RFC XXXX

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:23:53 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 6445c7b073ed5d55:0000000000000000

Sat Oct 07 13:23:50 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:23:18 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:23:18 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:22:34 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:21:22 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. ae10131a098e29dd:0000000000000000

Sat Oct 07 13:21:16 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:20:45 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:20:45 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:20:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:18:52 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 12973c2b18d0bc41:0000000000000000

Sat Oct 07 13:18:48 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:18:17 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:18:17 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:17:33 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:16:46 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:16:21 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 6603935be3437384:0000000000000000

Sat Oct 07 13:16:14 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:16:14 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:16:09 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:15:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:15:38 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Continued in next post.

bzness

Aspirant

Oct 07, 2017

continuation of log:

Sat Oct 07 13:15:03 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:13:51 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 4180b9b0160ae252:0000000000000000

Sat Oct 07 13:13:47 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:13:16 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:13:16 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:12:32 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:11:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:10:44 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 1e5ebe9e6c54a358:0000000000000000

Sat Oct 07 13:10:34 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:10:34 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:09:25 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:06:00 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:05:59 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 2f6f06f556b4937f:0000000000000000

Sat Oct 07 13:05:29 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:05:29 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:04:40 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:02:15 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 55783624c7b12310:0000000000000000

Sat Oct 07 13:02:01 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:01:29 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:01:29 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:00:56 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:57:26 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 12:57:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 1ebdde52616c0db7:0000000000000000

Sat Oct 07 12:56:55 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 12:56:55 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:55:46 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** myDomainName **" found

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel xxx.xxx.3.1->** ext IP FVS318 ** with spi=40115734(0x2641e16)

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->xxx.xxx.3.1 with spi=170635942(0xa2bb2a6)

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: xxx.xxx.3.1[0]<=>** ext IP FVS318 **[0]

DaneA
NETGEAR Employee Retired
Oct 10, 2017
Hi bzness,

If ever you have not yet configured Keep-Alive and Dead Peer Detection on both SRX5308 and FVS318G, I suggest you to configure Keep-Alive and Dead Peer Detection then check if same problem will occur. Read pages 265-268 of the SRX5308 Reference Manual here and pages 5-53 to 5-55 of the FVS318G Reference Manual here about Keep-Alives and Dead Peer Detection.

You mentioned that you upgraded the firmware of the SRX5308 to the latest version. Did you perform a factory reset on it the reconfigure it from scratch after upgrading the firmware? It is best to reset the firewall to factory defaults then reconfigure it from scratch in order to start clean using the latest firmware version.

Regards,

DaneA

NETGEAR Community Team
- DaneA
  NETGEAR Employee Retired
  Oct 15, 2017
  bzness,
  
  I just want to follow-up on this. Were you able to perform my suggestions?
  
  Regards,
  
  DaneA
  
  NETGEAR Community Team
  - bzness
    Aspirant
    Oct 16, 2017
    Hi DaneA,
    
    Yes, I tried a few, but in the end, I think I found a solution (keeping my fingers crossed) after hours of googleing on the web and following a number of dead ends. Even on this site, the information is contradictory. Some people say that you MUST use the VPN Wizard, others say that you can't because it creates a bad record that you cannot fix later. There is a lot of confusion about what FDQN means (why do you have to select "FDQN" and then enter an IP address?), etc., etc.,
    
    So, what I think has stabilized the VPN in my case was to do the followng:
    
    Delete the IKE and VPN policies on both ends.
    Reboot both routers.
    Set up new IKE policies (manually ) on both ands and do NOT use the default Encrytions (I dropped it to DES and MD5).
    Reboot both routers.
    Set up new VPN policies (manually) on both ends, again with DES and MD5. I also use FDQNs everywhere (overwriting the auto-filled IP addresses), and make sure that the LAN segments are different, and that the subnets are specified with x.x.x.0 (some people had suggested to use x.x.x.1), and use 86400 as SA uptime.
    Reboot both routers.
    Keep your fingers crossed.
    So far it's been up for about 36 hours, and the VPN logs look pretty orderly with an occasional Error that seems to fix itself.
    
    Again, keeping my fingers crossed and hope for the best.
- DaneA
  NETGEAR Employee Retired
  Oct 23, 2017
  bzness,
  
  I just want to follow-up on this. Is the VPN connection between the SRX5308 and FVS318G still up?
  
  Regards,
  
  DaneA
  
  NETGEAR Community Team
  - bzness
    Aspirant
    Oct 23, 2017
    Yes, but I noticed that a couple of times someone with an unknown IP address tried to log in. The router blocked the entry, but that seemed to have created some problems and the router stopped logging and also stopped responding to my other router, which of course led to a breakdown. I updated the firmware to the last version (which gave me trouble last time I tried that, and this time it seems to have worked. I see one attempt to get into the system via VPN, and this time it did not break the VPPN channel. So, good for now, but still keeping fingers crossed.