Hi, WDNJSQ!
Sep 11 2019 13: 06: 46.718.2 + 03: 00 PM9-MIRINET-R1 %% 01ADP-IPSEC / 5 / TunnelStateSwitched (l) [24]: The IPSec tunnel state is switched DOWN. (local-IP: 185.170.0.122, remote-IP: 195.158.31.134, OfflineReason: hard expire)
Logs show that the IPsec tunnel crashed due to hard expire.
In the documentation, this point is described as follows: https://support.huawei.com/hedex/pages/EDOC1100069307AEI0304P/02/EDOC1100069307AEI0304P/02/resources/dc/dc_cfg_IPsec_0012.html?ft=0&fe=10&hib=8.3.10.7.7.4&id=dc_cfg_IPsec_0012&text=(Optional) Setting the IPSec SA Lifetime&docid=EDOC1100069307
And you can know IPSec sa hard lifetime is 3600s from abovedocument. Once any network(for example: ISP link down or unreachable route)issue during new IPSec SA negotiated(3 times: 70%-80%-90% of 3600s), then atthe time of 3600s, then IPSec sa will appear hard expire.
Example:
Attempts to install the new IPec SA 3 times, at: 70% -80% -90% of 3600 sec:
1. IPSec SA negotiation should have been at 12:48
2. IPSec SA negotiation should have been at 12:54
3. IPSec SA negotiation should have been at 13:00
3 times the installation of the newSA failed, and upon reaching 60 minutes (13:06) the IPSet tunnel fell.The tunnel went up on September 11 at 13:17:20, so network problems lasted about 30 minutes.
Something happened to the network before the IPsec tunnel crashed, which made it impossible to install new SAs, and led to the IPSec tunnel down event on the 3600th second.
The duration of the fall of the tunnel is due to the same reason.
Please check or monitor the intermediate network between IPsec peers.
It is possible to configure DPD to speed up the detection of tunnel problems.
