R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

501

502

503

504

505

506

507

508

509

510

491

Local role : Primary

Primary address : 100.1.1.100

Sessions:

Peer address : 200.2.2.200

Peer version : 1.0

Peer priority : 100

Peer role : Secondary

Peer status : Ready

# Display KS redundancy information on KS 2.

<KS2> display gdoi ks redundancy

Group Name :ks2

Local address : 200.2.2.200

Local version : 1.0

Local priority : 100

Local role : Secondary

Primary address : 100.1.1.100

Sessions:

Peer address : 100.1.1.100

Peer version : 1.0

Peer priority : 10000

Peer role : Primary

Peer status : Ready

Troubleshooting group domain VPN

IKE SA negotiation failure

Symptom

Phase 1 IKE negotiation failed.

Analysis

If the failure occurred between GM and KS, the IKE configurations on the GM and KS do not match, or

the GM and KS cannot reach each other.

If the failure occurred between KSs, the IKE configurations on the KSs do not match, or the KSs cannot

reach each other.

Use the following command on the GM. The output shows that no IKE SAs have been generated.

<Router> display ike sa

total phase-1 SAs: 0

connection-id peer flag phase doi status

----------------------------------------------------------------------------

Solution

If the failure occurred between GM and KS, verify that the IKE proposal and IKE peer configurations on

the GM and the KS match, and that the GM and the KS can reach each other.