topic Re: IPsec VPN between Fortigate and Palo Alto in Next-Generation Firewall Discussions

IPsec VPN between Fortigate and Palo Alto (slowness)

luishoracio.arizaga — Fri, 10 May 2024 14:25:54 GMT

Hello I've established a vpn w/ a Fortigate using PA-1410. Connections are extremely slow. Can someone provide some guidance to troubleshoot the issues please? Here are some outputs.

tunnel X:XX id: 35 type: IPSec gateway id: 14 local ip: X.X.X.X peer ip: X.X.X.X inner interface: tunnel.9 outer interface: ethernet1/1 state: active session: 837652 tunnel mtu: 1400 soft lifetime: 3510 hard lifetime: 3600 lifetime remain: 3599 sec lifesize remain: 4607999 kb latest rekey: 1 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 4371 local spi: DD9790D6 remote spi: B55B01EA key type: auto key protocol: ESP auth algorithm: SHA1 enc algorithm: AES128 traffic selector: protocol: 0 local ip range: 10.72.X.X - 10.72.X.X local port range: 0 - 65535 remote ip range: 10.35.X.X - 10.35.X.X remote port range: 0 - 65535 ipsec mode: tunnel anti replay check: yes anti replay window: 1024 copy tos: no enable gre encap: no initiator: yes authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 1 receive sequence: 0 encap packets: 30292 decap packets: 8730 encap bytes: 6511296 decap bytes: 4974032 encap IPv4 packets: 30292 decap IPv4 packets: 8730 encap IPv4 bytes: 6511296 decap IPv4 bytes: 4974032 encap IPv6 packets: 0 decap IPv6 packets: 0 encap IPv6 bytes: 0 decap IPv6 bytes: 0 key acquire requests: 1 owner state: 0 owner cpuid: s1dp0 ownership: 1

Re: IPsec VPN between Fortigate and Palo Alto

Raido_Rattameister — Wed, 08 May 2024 13:47:07 GMT

What do you use to measure speed?

Packet loss?

Fragmentation?

Re: IPsec VPN between Fortigate and Palo Alto

luishoracio.arizaga — Wed, 08 May 2024 13:54:43 GMT

The server takes too long to answer. Websites do not load or take 5,10 minutes to load.

Re: IPsec VPN between Fortigate and Palo Alto

luishoracio.arizaga — Wed, 08 May 2024 14:25:19 GMT

Hello, I've found an error... ipsec SA keeps being established and going down every second or two seconds. I don't know why but I least it's a clue

Re: IPsec VPN between Fortigate and Palo Alto

Raido_Rattameister — Wed, 08 May 2024 15:16:38 GMT

This points to mismatching proxy-ids.

Check that encryption domain / proxy-id is exactly the same on both side.

If you switch temporarily to IKEv1 then you can see in system log what proxy-id's Fortigate sends to Palo.

Otherwise you need to troubleshoot in cli to get this info.

Re: IPsec VPN between Fortigate and Palo Alto

luishoracio.arizaga — Fri, 10 May 2024 14:24:02 GMT

Hello just for everybody's information... Actually vpn tunnel was being established and closed every two seconds or so. I could check this in the logs. On the monitoring part of the firewall everything seemed normal (Network => IPsec tunnels) but the TS associations were going up and down and traffic was being impacted of course. To check the logs go to Monitor => System and go for this kind of messages (I've filtered using the SPI id on the description). Look for TS association errors => This means proxy ID aren't matching between your Palo Alto firewall and the FW on the other end. You need exact matches. We replaced ASA w/ Palo Alto and the same configuration for crypto maps was not working. Hope this helps someone on the future :).