3 Replies Latest reply on Sep 7, 2012 2:41 AM by PhilM

    VPN Issue on Sidewinder Cluster

    armalite

        Hi List,

       

       

      sometimes (two or three times per month) our IPSEC VPN for remote users does not work proberly  (AGGRESSIVE_MODE exchange terminated - exchange expiration). A reboot of the primary cluster node solves this.

       

      Can i restart the hole IKE environment without a reboot on the sidewinder console??

       

       

      kind regards

       

      Andreas

        • 1. Re: VPN Issue on Sidewinder Cluster
          PhilM

          In the past I've done this by bouncing (restarting) the ISAKMP server and reloading the IPSec policies.

           

          Both are achieved from the command line:-

           

          • cf daemond restart agent=isakmp_daemon
          • cf ipsec reload

           

           

          If you are running version 7, you can restart the ISAKMP server service from the GUI, by navigating to Monitor -> Service status and then right-clicking on the "isakmp" service & selecting restart from the pop-up menu.

           

          Sometimes restarting the process is enough, but as the man page for "cf ipsec" says, the reload function serves to :-

           

          Reapplies the IPsec VPN definitions to the kernel and IKE server.

          If IPsec state is out-of-sync with a peer, this command can be used to clear the current IPsec state and reapply the VPN definitions.

          An optional flush key can be used to indicate whether or not current VPN IPsec state should be flushed from the kernel (default is flush=yes).

           

          Hope that helps.

           

          -Phil.

          • 2. Re: VPN Issue on Sidewinder Cluster
            armalite

            many thanks,

             

            this mus be done on both nodes of the cluster (primary and standby)??

             

             

            Kind regards

            • 3. Re: VPN Issue on Sidewinder Cluster
              PhilM

              Based on your original description (only needing to re-boot the primary) I would have to say no.

               

              But, as these commands take only a few seconds to run, I don't see any harm in running them on both nodes.

               

              -Phil.