https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453047#M101316 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200040">@GnContente</a>,</P> <P>Have you looked at your ikemgr.log file and verified that you aren't seeing a key delete or anything like that? That would be the first place to start looking.&nbsp;</P> <P><SPAN>less mp-log ikemgr.log</SPAN></P> Tue, 14 Dec 2021 03:35:40 GMT BPry 2021-12-14T03:35:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/452917#M101311 <P>Hi all, I have a IKEv2 IPSEC from PA to PA Firewall with tunnel monitoring enabled on one end. The tunnel suddenly went and the peer with no tunnel monitor is sending every 4 seconds a&nbsp;ikev2-send-p2-delete.&nbsp;</P><P>&nbsp;</P><P>What could be the reasons behind this behaviour?&nbsp;</P><P>&nbsp;</P><P>Regards</P> Mon, 13 Dec 2021 19:45:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/452917#M101311 GnContente 2021-12-13T19:45:58Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453047#M101316 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200040">@GnContente</a>,</P> <P>Have you looked at your ikemgr.log file and verified that you aren't seeing a key delete or anything like that? That would be the first place to start looking.&nbsp;</P> <P><SPAN>less mp-log ikemgr.log</SPAN></P> Tue, 14 Dec 2021 03:35:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453047#M101316 BPry 2021-12-14T03:35:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453099#M101322 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>The logs show the following:</P><P>2021-12-14 09:13:27.320 +0100 [PNTF]: { 3: }: ====&gt; IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway VPN-PH1_BRB-P &lt;====<BR />====&gt; Initiated SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000493 parent SN:2700 &lt;====<BR />2021-12-14 09:13:27.320 +0100 [WARN]: { 3: 4}: selector VPN-PH2_BRB-P_T1018 src is ambiguous, using the first one of the expanded addresses<BR />2021-12-14 09:13:27.320 +0100 [WARN]: { 3: 4}: selector VPN-PH2_BRB-P_T1018 dst is ambiguous, using the first one of the expanded addresses<BR />2021-12-14 09:13:27.347 +0100 [INFO]: { 3: 4}: SADB_UPDATE proto=255 213.41.102.4[500]=&gt;192.168.170.252[500] ESP tunl spi 0xB91C4A6D auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 378897/0 hard 432000/0<BR />2021-12-14 09:13:27.347 +0100 [INFO]: { 3: 4}: SADB_ADD proto=255 192.168.170.252[500]=&gt;213.41.102.4[500] ESP tunl spi 0xA3A1EB5D auth=NON-AUTH enc=AES256-GCM16/36 lifetime soft 349193/0 hard 432000/0<BR />2021-12-14 09:13:27.347 +0100 [PNTF]: { 3: 4}: ====&gt; IPSEC KEY INSTALLATION SUCCEEDED; tunnel VPN-PH2_BRB-P_T1018 &lt;====<BR />====&gt; Installed SA: 192.168.170.252[500]-213.41.102.4[500] SPI:0xB91C4A6D/0xA3A1EB5D lifetime 432000 Sec lifesize unlimited &lt;====<BR />2021-12-14 09:13:27.348 +0100 [PNTF]: { 3: 4}: ====&gt; IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel VPN-PH2_BRB-P_T1018 &lt;====<BR />====&gt; Established SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000493, SPI:0xB91C4A6D/0xA3A1EB5D parent SN:2700 &lt;====<BR />2021-12-14 09:13:27.350 +0100 [INFO]: { 3: 4}: SPI B91C4A6D inserted by IKE responder, return 0 0.<BR />2021-12-14 09:13:27.354 +0100 [INFO]: { 3: 4}: SPI DCA1C63B removed by keymodify, return 0 0.<BR />2021-12-14 09:13:27.355 +0100 [PNTF]: { 3: 4}: ====&gt; IKEv2 CHILD SA DELETED AS RESPONDER, non-rekey; tunnel VPN-PH2_BRB-P_T1018 &lt;====<BR />====&gt; Deleted SA: 192.168.170.252[500]-213.41.102.4[500] message id:0x00000492, SPI:0xDCA1C63B/0xA3E51416 parent SN:2700 &lt;====<BR />2021-12-14 09:13:27.357 +0100 [INFO]: { 3: }: ikev2_request_initiator_start: SA state ESTABLISHED type 3 caller ikev2_child_delete<BR />2021-12-14 09:13:27.357 +0100 [INFO]: { 3: }: IKEv2 INFO transmit: gateway VPN-PH1_BRB-P, message_id: 0x000002E6, type 3 SA state ESTABLISHED<BR />2021-12-14 09:13:27.357 +0100 [PNTF]: { 3: 4}: ====&gt; IPSEC KEY DELETED; tunnel VPN-PH2_BRB-P_T1018 &lt;====<BR />====&gt; Deleted SA: 192.168.170.252[500]-213.41.102.4[500] SPI:0xDCA1C63B/0xA3E51416 &lt;====<BR />2021-12-14 09:13:27.357 +0100 [INFO]: { 3: 4}: SADB_DELETE proto=255 src=213.41.102.4[0] dst=192.168.170.252[0] ESP spi=0xDCA1C63B2021-12-14 09:13:27.364 +0100 [INFO]: { 3: }: received DELETE payload, protocol ESP, num of SPI: 1 IKE SA state ESTABLISHED<BR />2021-12-14 09:13:27.365 +0100 [INFO]: { 3: }: delete proto ESP spi 0xA3E51416<BR />2021-12-14 09:13:27.365 +0100 [PWRN]: { 3: }: can't find sa for proto ESP spi 0xA3E51416</P><P>&nbsp;</P><P>As i mention initially, this repeats every 4 seconds. Both phases are up on both ends of the tunnel, however on the side of the tunnel&nbsp; were tunnel monitor is enabled, the tunnel interface is down and there is no decaps</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GnContente_1-1639470592538.png" style="width: 728px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38134i603C391E86215841/image-dimensions/728x111/is-moderation-mode/true?v=v2" width="728" height="111" role="button" title="GnContente_1-1639470592538.png" alt="GnContente_1-1639470592538.png" /></span></P><P>&nbsp;</P><P>On the other end apart from not having tunnel monitor enabled everything appears to be fine, i see packets encap and decap</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GnContente_0-1639470472903.png" style="width: 731px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38133i00F59C61A636CDE4/image-dimensions/731x112/is-moderation-mode/true?v=v2" width="731" height="112" role="button" title="GnContente_0-1639470472903.png" alt="GnContente_0-1639470472903.png" /></span></P><P>&nbsp;</P><P>This tunnel was working fine until it started to behave wierd.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 Dec 2021 08:33:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453099#M101322 GnContente 2021-12-14T08:33:53Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453263#M101336 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200040">@GnContente</a>,</P> <P>{quote}</P> <P><SPAN>selector VPN-PH2_BRB-P_T1018 src is ambiguous, using the first one of the expanded addresses</SPAN></P> <P><SPAN>{quote}</SPAN></P> <P><SPAN>I'd look at your Peer and Local identification configuration and make sure that they actually match on both ends, or the proxy configuration if you have one.&nbsp;</SPAN></P> Tue, 14 Dec 2021 23:27:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-ikev2-send-p2-delete/m-p/453263#M101336 BPry 2021-12-14T23:27:13Z