Hi,
Two days ago I configured 4 x GRE / IPSec tunnels on my CCR running 6.42.12. I use this exact same configuration elsewhere successfully on a CCR running 6.42.6. All 4 tunnels were up and stable and BGP neighbours connected and exchanging routes as expected.
Yesterday morning I noticed that the one tunnel is down. Log indicate ph2 cannot establish and the log is flooded with “ipsec failed to pre-process ph2 packet”. The policy for the tunnel was marked in red (I recall this was usually an indication that the policy was invalid).
Anyways I went through the process of clearing all SAs, enabling and disabling the peer, the policy, the associated addresses etc. multiple times without the ph2 re-establishing. Resetting the tunnel from the far end also had no effect. I deleted the peer and policy and recreated with the exact same result. I double checked all configs making 100% sure there were no overlapping subnets but I could not find any issue. None of the other 3 tunnels showed the same behavior.
At some stage I left the policy disabled for quite a while (guessing > 30 mins). After enabling it, to my surprise, the ph2 established. I was just wondering if this is perhaps know behavior that was introduced somewhere between 6.42.6 and 6.42.12? Or any other thoughts?
It still seems stable ever since.
Thanks