Printout explanation "diagnose vpn tunnel list"

Forum|Forum|8 years ago
December 12, 2017
1 reply
6084 views

In the following printout 'expire=21511/0B' is a countdown to Child SA's key expiry, starting from value specified in Phase 2's 'keylifeseconds' attribute (in my case, 27000).

However, the printout also has a 'timeout=26732/27000' where 26732 doesn't change at all. My question - what does this number represent?

[size="2"]

FGT60D-1 # diagnose vpn tunnel list
:
proxyid=ToAzureVPNGateway3 proto=0 sa=1 ref=2 serial=26
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:172.16.64.0/255.255.192.0:0
  SA: ref=41 options=10024 type=00 soft=0 mtu=1438 expire=21511/0B replaywin=0
       seqno=10e03 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=26732/27000
  dec: spi=f1c15bf3 esp=aes key=16 9136fd97fab9c206f27055d082c83414
       ah=sha1 key=20 5b69a33bc129346a2018d6fbde9d5bb51693e231
  enc: spi=127f9a4c esp=aes key=16 925357d548af93d4fa664653cf3a8e19
       ah=sha1 key=20 ea362f3413d292a459939cf8b5f8985b1bc12331
  dec:pkts/bytes=100993/51118804, enc:pkts/bytes=84002/31649950
  npu_flag=03 npu_rgwy=A.A.A.A npu_lgwy=B.B.B.B npu_selid=19

[/size]

Toshi_Esumi

SuperUser

Looks like they forgot to update something in diag output. I recommend you open a TT with TAC. If you run "get vpn ipsec tun name ToAzureVPNGateway3", you would see like "lifetime/rekey: 27000/21511".

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded