Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
251252253254255256257258259260
245
IPsec tunnels cannot be set up
Symptom
In an unstable network environment, the expected IPsec tunnels cannot be set up or do not operate
correctly.
Analysis
If the two peers have the correct ACLs and a matching IKEv2 proposal, it is most likely that the tunnels
have been set up but the device at one end restarted, resulting in unmatched IKEv2 SAs or IPsec SAs.
Solution
Use the display ikev2 sa command to check whether the expected IKEv2 SAs have been set up:
If only one end has IKEv2 SAs, use the reset ikev2 sa command to clear the existing IKE SAs and
then trigger a new IKEv2 negotiation.
If both ends have IKEv2 SAs and the IKEv2 SAs of the two ends match (established based on the
same IKEv2 negotiations), use the display ipsec sa command to verify that IPsec SAs have been set
up. If only one end has IPsec SAs, use the reset ipsec sa command to clear the existing IPsec SAs
and then trigger a new negotiation.