cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1915
Views
20
Helpful
17
Replies

FTD HA Link IPSec Encryption LAN-to-LAN deleted syslog

Hi all,

Just a quick question that I wasn't able to google the answer for.

Our FTD pair generates a lot of Informational logs every minute related to:

"IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E10868E) between 192.168.100.2 and 192.168.100.1 (user= 192.168.100.1) has been deleted."

I know the reason for this syslog, but I'm unable to explain to behavior between the HA pair?

 

Regards, Michael

17 Replies 17

192.168.100.2 and 192.168.100.1 <<- IPsec L2L and both LAN have same subnet this is overlapping 

It's the failover link on the FTDs, and they should be on the same subnet.

Oh ok, 
you use IPsec encrypt to protect the failover link between two FW ??
If yes and you direct connect two FW then you can disable IPsec for failover link 

The FTDs are directly connect, so I could disable IPSec encryption on the failover link.

It still doesn't explain the behavior, which is the part I'm most curious about.

Just to be clear for my understanding the FTDs are in HA pair. could you please confirm there is no issue between these two HA at all. please do confirm by issuing the command

> show high-availability config

if these FTDs are managed by FMC do you see any alert regards to these appliances in FMC. also please FTD what software version they are on.

please do not forget to rate.

Yes, the FTDs are in a HA setup

---------------------------

Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER-LAN Port-channel10 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1288 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.19(1), Mate 9.19(1)
Serial Number: Ours JAD26140ECJ, Mate JAD26140DYS
Last Failover at: 06:53:05 UTC Feb 24 2023
This host: Secondary - Active
Active time: 357600 (sec)
slot 0: FPR-1140 hw/sw rev (0.5/9.19(1)) status (Up Sys)
Interface Po1 (0.0.0.0): Normal (Waiting)
Interface TRANSIT (10.226.47.9): Normal (Not-Monitored)
Interface FACILITY (10.226.32.1): Normal (Not-Monitored)
Interface CCTV (10.226.33.1): Normal (Not-Monitored)
Interface MGMT (0.0.0.0): Link Down (Not-Monitored)
Interface TRADING (10.227.1.1): Normal (Not-Monitored)
Interface NOC (10.227.2.1): Normal (Not-Monitored)
Interface GUEST (10.227.4.1): Normal (Not-Monitored)
Interface OUTSIDE (93.165.156.37): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Primary - Standby Ready
Active time: 2042286 (sec)
Interface Po1 (0.0.0.0): Normal (Waiting)
Interface TRANSIT (0.0.0.0): Normal (Not-Monitored)
Interface FACILITY (0.0.0.0): Normal (Not-Monitored)
Interface CCTV (0.0.0.0): Normal (Not-Monitored)
Interface MGMT (0.0.0.0): Normal (Not-Monitored)
Interface TRADING (0.0.0.0): Normal (Not-Monitored)
Interface NOC (0.0.0.0): Normal (Not-Monitored)
Interface GUEST (0.0.0.0): Normal (Not-Monitored)
Interface OUTSIDE (93.165.156.41): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)

Stateful Failover Logical Update Statistics
Link : FAILOVER-LAN Port-channel10 (up)
Stateful Obj xmit xerr rcv rerr
General 244657629 0 1617715318 9368
sys cmd 319733 0 319730 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 157519482 0 1061619566 7612
UDP conn 81179275 0 531445380 1695
ARP tbl 2786162 0 13122364 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 61722 0 12276 0
VPN IKEv2 P2 56 0 10 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 1209005 0 4740989 0
SIP Tx 1191924 0 4673010 17
SIP Pinhole 295275 0 955632 44
Route Session 4 0 17 0
Router ID 0 0 1 0
User-Identity 93800 0 819541 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Rule DB B-Sync 0 0 1 0
Rule DB P-Sync 1191 0 6801 0
Rule DB Delete 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 68 1652180014
Xmit Q: 0 20 249280697

your secondary appliance is in active mode and both peer can see each other. I would assume it could be a cosmetics bug/issue. did you see the same syslog when the primary appliance is in active ?

please do not forget to rate.

can see eath other, but friend @Sheraz.Salim  all interface is no-monitor or unknow!!
@Michael BartholomƦussen  your last post is delete can you re-post again 

@MHM Cisco World no-monitor mean client do not want to monitor the interface this is an optional not mandatory. in case if one appliance have power outrage it will fall back to other peer either interfaces are in monitor or not monitor on in waiting state.

however, the interface monitoring is in case if interface goes down it will fail the firewall.

please do not forget to rate.

Yes I know but at least one link not all link config with no-monitor.

I have seen in production network where some client do not want to monitor any interface on the firewall at all. we can argue if it best practice to use monitor command. but its depends on each different network requirement.

please do not forget to rate.

reading into cisco documentation it is mentioned "The failover key uses DES or AES, depending on the installed license. It also uses MD5 as the hash to authenticate the message. Therefore, it is important that both appliances use the same cipher license key"

please do not forget to rate.

We tried to switch active peer, but the syslog persists.

disabled Ipsec Anti Replay Window <<- disable the anti-replay window and check again