- Disabled super-netting –
global change (sk101219)
- Update the user.def file(sk44852) with specific IP range
;[cpu_11];[fw4_0];fw_log_drop_ex: Packet
proto=1 100.140.225.136:2048 -> 172.116.202.134:17162 dropped by fwhold_expires
Reason: held chain expired;
ipsec gateway is dropping it .. held chain expired
A drop for "held chain expired" indicates that
key exchange is failing or not completing in a timely manner. Need the ike debug to see the ike key
exchange data to try to understand why it is failing.
We need to start by running a simple IKE debug so we can
see what IDs, etc. we are proposing to the peer device for this network. This debug is very light, and should not
cause any issues in most cases.
To enable the debug on the gateway, run the following
commands from the expert mode prompt:
vpn debug trunc
vpn debug off
Note: 'vpn debug
trunc' will turn on IKE and vpnd debug.
It will also rotate the log files.
'vpn debug off' will turn off the vpnd debug, which we do not need at
this stage. It will leave the ike debug
running, which is what we want.
Leave the IKE debug running until you reproduce the
problem. Once the problem has been
reproduced, run:
vpn debug ikeoff
Then, collect the following files for analysis: $FWDIR/log/ike*
open file with ikeview.exe
