Hello all.
Trying to create a VPN using an external interface that has two inet addreses. I know about the local-address knob and I am using it. IKE is failing, but only on the side with dual IPs. On the side with only a single IP on the external interface the ike sa reports as up, but it never reports up on the side with the two addresses. Two more details: the two addresses on the external interface are out of different subnets, and this is a chassis cluster. However, the external interface is not a reth interface. This is a standard deployment where two fixed interfaces (one on each node) do BGP upstream and have reth interfaces on the inside zones only.
As I say, the single IP side shows the ike SA up and the initator and responder cookies match on both sides.
The side with the two addresses, which doesn't ever show the ike SA up or down, has this log entry, for which I can find no info:
"IKE negotiation failed with error: Negotiation failed as negotiation completed on backup HA node."
At that exact instant in the traceoptions log there was this:
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_send_notify: Connected, SA = { c069074a bb502581 - fa965fa7 4043960d}, nego = -1
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_sa_delete: Start, SA = { c069074a bb502581 - fa965fa7 4043960d }
So it looks to me as though the IKE is completing on both sides, but due to this mysterious "negotation colmpletion" issue, it immediately drops on the side with the two IPs. But why? Anyone have a clue?
Let me know if/what more information would help. Want to keep it lean to start with.
One last thing, I have made the address I'm peering with both primary and preferred.
Much appreciated,
dj