IKEv2 IPsec Tunnels Using FQDN
search cancel

IKEv2 IPsec Tunnels Using FQDN

book

Article ID: 176292

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Browsing stops and an outage is experienced while connected to Web Security Service (WSS) via IPsec tunnel using IKEv2 with FQDN. Moving the tunnel to a different data center may restore browsing, but only temporarily as the issues may continue to occur.

Cause

In addition to other potential causes for issues (see IPsec Tunnel Configurations to Avoid Failures), an IPsec tunnel using IKEv2 with FQDN can attempt to establish from an egress IP that is already defined in a different Network Location in the WSS portal. This can cause the traffic to be dropped with no error message.

The Phase 2 lifetime could also be set too high. The Phase 2 lifetime has different parameters and ramifications when using IKEv2. While it can be set too high with IKEv1, which can cause issues, WSS will still honor the proposed lifetime from the firewall/router establishing the tunnel. However, when using IKEv2, Symantec's peer is configured to close the tunnel every 60 minutes out of necessity regardless of the Phase 2 lifetime configured in the establishing firewall/router.

Resolution

In addition to making sure other IPsec tunnel access method requirements are met, make sure all IKEv2 IPsec tunnels using FQDN have Phase 2 lifetimes set to 50 minutes (just below 60 minutes) and that they do not egress with any IP or from a pool of IPs already defined in any other location in the WSS portal.

For further information on IKEv2 IPsec Tunnels Using FQDN requirements, see Connectivity: VPN IKEv2 with Pre-Shared Key and Dynamic IP/FQDN.

To address further issues, see the links to articles below: