This can cause occasional packet drops or unstable network communication.
Environment
Next-Generation Firewall (Any PAN-OS)
Prisma Access for Networks
Prisma Access Service Connection
Cause
One of the reasons for the tunnel flapping or not passing traffic is if the SPI number is not stable.
This could be caused by a mismatch in the IKE/IPSEC configuration due to which the tunnel would rekey multiple times
A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. SPI is an arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound. The SPI is provided to map the incoming packet to an SA at the destination.
The SPI number should remain stable until tunnel renegotiation. If this number is changing, then the tunnel will not be stable.
EXAMPLE: In both screenshots, the SPI number is changing.
Resolution
Check the lifetime of phase1 and phase2 -- the time values should match with that of the peer device for the respective IKE or IPSEC crypto profiles.
Check if the proxy ID are matching or not. Check this article for more details on proxy ID.
Collect the tech support report from the firewall at the time of issue so the logs can be analysed later. (For Prisma Access, Collect the logs from on prem device and reach out to support teams with issue details for log collection on Prisma Access side.
Check ikemgr.logs at the time of issue to get more details.
If tunnel monitoring is turned on on either side or the VPN endpoints, Ensure there are security rules to allow that communication.
Additional Information
Use following articles for advance troubleshooting and log analysis for IPSec issues.