08/03/2020 28 People found this article helpful 450,115 Views
This article details the rare symptoms of IKEv2 Out of Memory error and how to resolve it.
Symptoms:
IKEv2 VPN Tunnel interfaces are not able to re-negotiate once SA lifetime expires. GUI Logs display IKEv2 Out of Memory error, a reboot is required to re-establish existing tunnel(s) once firewall runs out of memory. These symptoms are due to a misconfiguration caused by binding the VPN to an incorrect interface. The tunnel can never establish locally with this misconfiguration in place although the remote end of the tunnel may have hardware that shows the tunnel as up while the tunnel re-negotiates. After thousands of attempts to complete a successful phase one negotiation and the firewall has been left in this misconfigured state for an extended period of time the memory allocated for phase one negotiations will run out. The firewall can no longer process IKEv2 phase 1 negotiations in this condition until there is a restart or the misconfiguration is corrected.
The following conditions exist for this error:
1) VPN is bound to an incorrect interface for an extended period of time, more than one day.
2) The incorrect interface selected is not a WAN interface
3) The VPN tunnel has an all zero gateway (0.0.0.0) (Tunnel Interface)
4) More than one tunnel interface must exist, to impact other tunnel interface phase one negotiations.
Check through any configured IKEv2 tunnel interface VPN and be sure the correct local WAN interface has been selected within the VPN tunnel configuration. There is no need to check tunnels known to be working as expected. A VPN tunnel can not establish when it has been bound to an incorrect interface so first check tunnels that were never active.
ISSUE ID:
215736