|
This article assumes that both the primary and backup tunnels have already been configured and the primary tunnel is up but, unable to bring up the secondary tunnel.
When validating the IKE debug logs for the secondary tunnel, the message 'ignoring IKEv2 request, primary is still active' will appear.
This error occurs when a monitor is configured in the secondary tunnel to monitor the status of the primary tunnel.
For Example:
'ipsec' is the primary tunnel that is up, and 'ipsec2' is the secondary tunnel on which the monitor is configured for the primary tunnel.
config vpn ipsec phase1-interface
edit "ipsec"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set dhgrp 14
set fec-egress enable
set fec-codec xor
set fec-ingress enable
set remote-gw x.x.x.x
set psksecret XXX
next
edit "ipsec2"
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set dhgrp 14
set fec-egress enable
set fec-codec xor
set fec-ingress enable
set remote-gw y.y.y.y
set monitor "ipsec" -> monitor the primary tunnel.
set psksecret XXX
next
end
To remedy this, disable the monitor in the secondary tunnel using the below commands:
config vpn ipsec phase1-interface
edit "ipsec2"
unset monitor
end
Related article:
Technical Tip: IPsec VPN - Site-to-Site tunnel monitor.
|
