cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

682
Views
0
Helpful
3
Replies
Highlighted
Beginner

SDWAN / Zscaler / IPSec

Current config: vEdge 100M / Broadband / (2) Zscaler IPSec tunnels

We have (2) two IPSec tunnels to Zscaler (IPSec instead of GRE because we are using DHCP instead of static on the broadband link) for the most part both tunnels stay up but on occasion for no reason that I can tell they both go down and nothing other than rebooting the vEdge will bring them back up. Logs from Zscaler aren't too helpful as they mainly show that the IPSec tunnel is down. Any advice/suggestions/clues where to look? 

 

shut/no shut the physical interface (ge0/4) - no joy

shut/no shut both of the IPSec tunnels - no joy

request ipsec ike-rekey - no joy

request ipsec ipsec-rekey - no joy

 

"show ipec ike sessions state " shows the state of both tunnels as "TERMINATED"

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

It depends. How do you source your ipsec interfaces, from the WAN interfaces or from loopbacks in VPN 0 ? There are bugs related to this which might affect you. For example there is a bug where if the interface you use to source the ipsec tunnel changes its IP (due to DHCP, perhaps) then the ipsec process doesn't realize and will still attempt to keep the connection up with the old IP as source, which will fail. 

 

What's your ipsec interface configuration ? What software version are you running ?

View solution in original post

3 REPLIES 3
Highlighted

It depends. How do you source your ipsec interfaces, from the WAN interfaces or from loopbacks in VPN 0 ? There are bugs related to this which might affect you. For example there is a bug where if the interface you use to source the ipsec tunnel changes its IP (due to DHCP, perhaps) then the ipsec process doesn't realize and will still attempt to keep the connection up with the old IP as source, which will fail. 

 

What's your ipsec interface configuration ? What software version are you running ?

View solution in original post

Highlighted

We are sourcing from Ge0/4 which is configured for DHCP and connected to broadband. As far as versions go, we are in the process of upgrading from 18.3.5 to 18.4.302.

 

Do you happen to have a bug ID? or maybe a link to this bug?

 

And thank you for the response.

Highlighted