Hi all,

Device: HA-pair 61F v7.2.10

Per subject, IKEv2 debug log was stuck in phase2 INFORMATIONAL state, the traffic cannot pass through even phase1 and 2 is up. For example, the sniffer log can show the icmp echo request and echo reply through the tunnel interface, but in fact the icmp request sender didn't receive the icmp reply packets.

The VPN resumed normal automatically after 12 hours [43200s] after the phase2 was rekey, or by resetting the tunnel directly.

This issue happened twice. So I just afraid the issue will happen 3rd time.

diagnose debug application ike -1
diagnose debug enable

ike 0:VPN: HA state master(2)
ike 0:VPN:7: dec XXXXX
ike 0:VPN:7: received informational request
ike 0:VPN:7: enc XXXXX
ike 0:VPN:7: out XXXXX
ike 0:VPN:7: sent IKE msg (INFORMATIONAL_RESPONSE): x.x.x.x:500->x.x.x.x:500, len=80, vrf=0, id=XXXXX
ike 0: comes x.x.x.x:500->x.x.x.x:500,ifindex=10,vrf=0....
ike 0: IKEv2 exchange=INFORMATIONAL id=XXXXX len=80
ike 0: in XXXXX
ike 0:VPN: HA state master(2)
ike 0:VPN:7: dec XXXXX
ike 0:VPN:7: received informational request
ike 0:VPN:7: enc XXXXX
ike 0:VPN:7: out XXXXX
ike 0:VPN:7: sent IKE msg (INFORMATIONAL_RESPONSE): x.x.x.x:500->x.x.x.x:500, len=80, vrf=0, id=XXXXX
ike 0: comes x.x.x.x:500->x.x.x.x:500,ifindex=10,vrf=0....
ike 0: IKEv2 exchange=INFORMATIONAL id=XXXXX len=80
ike 0: in XXXXX
... (the same messages keep looping)

When the IPsec is normal:

HA IPsec end ESP seqno=xxxxx, num=x

I also opened a ticket in portal, Support recommended to upgrade to v7.2.11, but customer hit another bug in v7.2.11 in another FW so we do not prefer to upgrade them at the moment.

Has anyone seen this before? Thanks for your help!