VPN notifications
The following table lists messages that are seen in the logs as part of normal IPsec VPN operation.
| Information message | Description |
|---|---|
| SA traffic selectors local: [...] |
This message is visible only when IPsec diagnostics are enabled. The first message generated when new VPN negotiations are triggered. Negotiation of a new VPN tunnel follows. |
| IKE SA proposal [...] |
This message is visible only when IPsec diagnostics are enabled. Shows the proposal that the initiator in the negotiations sent to the responder (displayed in both roles). |
|
Starting IKE main mode initiator negotiation Starting IKE main mode responder negotiation |
The beginning of IKE negotiations (in main mode). Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation. Repeated negotiations for the same connection are normal in a Multi-Link environment. |
|
IKE Phase-1 initiator done [...] IKE Phase-1 responder done [...] |
IKE Phase-1 negotiations were successfully completed, Phase-2 negotiations begin. Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation. |
|
IKE Phase-2 initiator done [...] IKE Phase-2 responder done [...] |
IKE Phase-2 negotiations were successfully completed. The VPN tunnel is now established and ESP or AH messages should appear shortly. Which message is displayed depends on whether the gateway is the initiator or the responder in the negotiation. |
| Starting Hybrid Authentication | Hybrid authentication is started for an IPsec VPN client user. |
| Hybrid Authentication Done | Hybrid authentication succeeded for an IPsec VPN client user. |
|
IKE SA import succeeded IPsec SA import succeeded |
This message is visible only when IPsec diagnostics are enabled. Synchronization of Phase 1 (IKE) and Phase 2 (IPsec) information between clustered firewall engines was successful. |
|
ESP [...] AH [...] |
Encrypted traffic going through the VPN tunnel. When you enable IPsec diagnostics, you might see more of these messages. |
| Unknown IKE cookie |
This message is visible only when IPsec diagnostics are enabled. The other gateway identified an SA that does not exist on this node. If this is a cluster, this message is normal when the SA has been negotiated with a different node. The correct SA is then queried from the other nodes, allowing the connection to continue. This message can also appear if the SA has been deleted, for example, because of a timeout or dead peer detection (DPD). |
|
Sending delete notification [...] Delete notification received [...] |
This message is visible only when IPsec diagnostics are enabled. Messages between the gateways forming the tunnel informing the other party that the gateway has removed the settings indicated in the message. As a result, the other gateway also clears the settings, allowing for renegotiations if the tunnel is still needed. |
|
Sending IKE SA delete sync Receiving IKE SA expire/delete sync |
This message is visible only when IPsec diagnostics are enabled. Synchronization of SA deletion information between clustered firewall engines. |
| Initial contact notification received | The gateway at the other end of the tunnel has sent an Initial-Contact message (indicating that it has no knowledge of previous negotiations). If there are old SAs with the gateway, they are deleted (recently negotiated SAs are not, as might be indicated by a further log message). If SAs exist, the notification may indicate that the other end has been cleared, for example, in a reboot. |