Hi there, after upgrading to 19.2.7 one of our MX, that is behind ISP's NAT, stopped connecting to 3d party (2 Cisco ISR 4331 connected to different ISPs) IPsec VPN. ISR debug showed that phase 1 went up as well as phase 2, but MX sent DELETE request immediately after .Feb 25 10:00:41.854: IKEv2:(SESSION ID = 159143,SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started .Feb 25 10:00:41.855: IKEv2:(SESSION ID = 159143,SA ID = 3😞Session with IKE ID PAIR (192.168.15.150, b.b.b.b) is UP .Feb 25 10:00:41.855: IKEv2:(SESSION ID = 159143,SA ID = 3):Load IPSEC key material .Feb 25 10:00:41.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up .Feb 25 10:00:41.869: IKEv2:(SESSION ID = 159143,SA ID = 3):Checking for duplicate IKEv2 SA .Feb 25 10:00:41.870: IKEv2:(SESSION ID = 159143,SA ID = 3):No duplicate IKEv2 SA found .Feb 25 10:00:41.870: IKEv2:(SESSION ID = 159143,SA ID = 3):Starting timer (8 sec) to delete negotiation context .Feb 25 10:00:41.909: IKEv2:(SESSION ID = 159143,SA ID = 3):Received Packet [From a.a.a.a:49046/To b.b.b.b:4500/VRF i0:f0] Initiator SPI : C4C9AF3132F5CF14 - Responder SPI : 0B717D003BAAC05E Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: DELETE .Feb 25 10:00:41.910: IKEv2:(SESSION ID = 159143,SA ID = 3):Building packet for encryption. Payload contents: DELETE .Feb 25 10:00:41.911: IKEv2:(SESSION ID = 159143,SA ID = 3):Sending Packet [To a.a.a.a:49046/From b.b.b.b:4500/VRF i0:f0] Initiator SPI : C4C9AF3132F5CF14 - Responder SPI : 0B717D003BAAC05E Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR .Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Process delete request from peer .Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Processing DELETE INFO message for IPsec SA [SPI: 0xC315EF2A] .Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Check for existing active SA .Feb 25 10:00:41.913: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down a.a.a.a is MX external (translated) IP, b.b.b.b is ISR IP. After we reverted the fw to 19.11.1 tunnels established w/o any problem. Other MXs, which aren't behind NAT, don't have that problem, that's why I think it's related to NAT-T. Best regards, Vladimir
... View more