Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
After a Fireware version upgrade, a BOVPN tunnel can enter an error state when an issue occurs in the IKED process. IKED is the IKE daemon that runs the Internet Key Exchange (IKE) protocol on a Firebox. If the IKED process cannot complete certificate revocation list (CRL) validation or if a known defect affects IKED operation, it disrupts all active tunnel negotiations.
Symptoms
An error state when an issue occurs in the IKED process typically presents these symptoms:
- The BOVPN tunnel enters an error state after the Fireware upgrade.
- The IKED process reports a status of bad.
- BOVPN tunnels fail simultaneously.
- The Firebox does not pass encrypted traffic.
- When you restart IKED, it temporarily restores tunnel function.
- Firebox log messages indicate that IKED cannot complete VPN negotiation due to a blocked CRL validation request or internal process failure. Example:
iked: process status bad
iked: CRL verification request blocked
iked: tunnel negotiation failed
Diagnostic Steps
For the affected Firebox, complete these steps:
- Review log messages and verify the status of the IKED process. Confirm whether the system reports IKED as bad.
- Review Firebox log messages for IKED, certificate, or CRL-related errors.
- From the Firebox, review the LDAP server configuration and verify whether LDAP CRL verification is enabled.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| LDAP CRL verification causes an error in the IKED process. |
From the affected Firebox CLI, use this command to disable online CRL verification by setting the online_crl_query debug parameter to 0: |
| IKED process, certificate, or CRL-related errors. |
Review the list of fault reports for errors. For more information, go to: Locally-Managed: Manage Fault Reports Cloud-Managed: Manage Fault Reports on a Cloud-Managed Firebox |