IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.

RishiLama — Fri, 04 Feb 2022 17:06:16 GMT

Hello all,

Need help.

We're experiencing unsual IPsec tunnel disconnect between our main firewall PA-5250 and VM series hosted on Azure.

PA-5250 - Version 8.01 - Static GW IP address 2.2.2.2

VM series VM:- 10.0.7 - Azure01 - GW IP is dymanic representing 1.1.1.1 on logs.

IPsec tunnel info check and verified are same on both firewall.

Proxy ID:- none

Enable passive mode is disabled on both firewall.

One firewall GW IP address is dymanic.

VM series firewall.

____________________________________________________

mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.039 -0600 [INFO]: { 1: }: KA found: 1.1.1.1[4500]->2.2.2.2[4500] (in_use=1)
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Adding remote and local NAT-D payloads.
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Hashing 2.2.2.2[4500] with algo #6
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Hashing 1.1.1.1[4500] with algo #6
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, AGGRESSIVE MODE <====
mp ikemgr.log 2022-01-29 12:33:19 ====> Established SA: 1.1.1.1[4500]-2.2.2.2[4500] cookie:ab3cecc374bafd02:0a6fef599a4197e8 lifetime 28800 Sec <====
mp ikemgr.log 2022-01-29 12:33:20 2022-01-29 12:33:20.000 -0600 [PNTF]: { 1: 1}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:20 ====> Initiated SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0x96E53F93 <====
mp ikemgr.log 2022-01-29 12:33:20 2022-01-29 12:33:20.000 -0600 [INFO]: { : 1}: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [PNTF]: { : 1}: ====> IPSEC KEY LIFETIME EXPIRED <====
mp ikemgr.log 2022-01-29 12:33:43 ====> Expired SA: 1.1.1.1[4500]-2.2.2.2[4500] SPI:0xBA57B398/0xEE2C91E1 <====
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [PNTF]: { : 1}: ====> IPSEC KEY DELETED <====
mp ikemgr.log 2022-01-29 12:33:43 ====> Deleted SA: 1.1.1.1[4500]-2.2.2.2[4500] SPI:0xBA57B398/0xEE2C91E1 <====
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [INFO]: { 1: 1}: SADB_DELETE proto=0 src=1.1.1.1[4500] dst=2.2.2.2[4500] ESP spi=0xBA57B398
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.001 -0600 [INFO]: { 1: 1}: SPI BA57B398 removed by IPSec lifetime, return 0 0.
mp ikemgr.log 2022-01-29 12:33:45 2022-01-29 12:33:45.000 -0600 [PWRN]: { : 1}: phase-2 sa purge mismatch SPI:0x00000000/0xEE2C91E1.
mp ikemgr.log 2022-01-29 12:33:50 2022-01-29 12:33:50.000 -0600 [PNTF]: { : 1}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:50 ====> Failed SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0x96E53F93 <==== Due to negotiation timeout.
mp ikemgr.log 2022-01-29 12:33:54 2022-01-29 12:33:54.264 -0600 [PNTF]: { 1: 1}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:54 ====> Initiated SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0xB73A56D5 <====
mp ikemgr.log 2022-01-29 12:33:54 2022-01-29 12:33:54.264 -0600 [INFO]: { : 1}: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
mp ikemgr.log 2022-01-29 12:34:20 2022-01-29 12:34:20.000 -0600 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <====

________________________________________________________________________________________________________

Main firewall logs.

2022-01-29 12:41:47.024 -0800 [PNTF]: { 15: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 12:41:47
====> Initiated SA: 2.2.2.2[4500]-1.1.1.1[27387] message id:0x66FC9DFD <====
ikemgr.log
2022-01-29 12:41:47
2022-01-29 12:41:47.024 -0800 [INFO]: { 15: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
ikemgr.log
2022-01-29 12:41:47
2022-01-29 12:41:47.060 -0800 [PNTF]: { : 27}: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 12:41:47
====> Established SA: 2.2.2.2[4500]-1.1.1.1[27387] message id:0x66FC9DFD, SPI:0xE7255475/0xC6D72D68 <====

2022-01-29 13:11:14
2022-01-29 13:11:14.315 -0800 [PNTF]: { 16: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 13:11:14
====> Initiated SA: 2.2.2.2[4500]-1.1.1.1[9251] message id:0x166DFFE3 <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.315 -0800 [INFO]: { 16: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [PNTF]: { : 28}: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 13:11:14
====> Established SA: 2.2.2.2[4500]-1.1.1.1[9251] message id:0x166DFFE3, SPI:0x9A6BF190/0x8DFEDBE1 <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: SADB_UPDATE proto=255 1.1.1.1[9251]=>2.2.2.2[4500] ESP tunl spi 0x9A6BF190 auth=SHA512 enc=AES256-GCM16/36 lifetime soft 3600/0 hard 3600/0
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: SADB_ADD proto=255 2.2.2.2[4500]=>1.1.1.1[9251] ESP tunl spi 0x8DFEDBE1 auth=SHA512 enc=AES256-GCM16/36 lifetime soft 2889/0 hard 3600/0
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: IPsec-SA established: ESP/Tunnel 1.1.1.1[9251]->2.2.2.2[4500] spi=2590765456(0x9a6bf190)
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [PNTF]: { : 28}: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
ikemgr.log
2022-01-29 13:11:14
====> Installed SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0x9A6BF190/0x8DFEDBE1 lifetime 3600 Sec lifesize unlimited <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: }: KA found: 2.2.2.2[4500]->1.1.1.1[9251] (in_use=1)
ikemgr.log
2022-01-29 13:11:19
2022-01-29 13:11:19.033 -0800 [PNTF]: { 16: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7a0f6094477007ea 51a6613506ffc6f6 (size=16).
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [PNTF]: { : 28}: ====> IPSEC KEY LIFETIME EXPIRED <====
ikemgr.log
2022-01-29 13:11:30
====> Expired SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0xAE67200C/0xCE0E23E8 <====
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [PNTF]: { : 28}: ====> IPSEC KEY DELETED <====
ikemgr.log
2022-01-29 13:11:30
====> Deleted SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0xAE67200C/0xCE0E23E8 <====
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [INFO]: { 16: 28}: SADB_DELETE proto=0 src=2.2.2.2[4500] dst=1.1.1.1[9251] ESP spi=0xAE67200C
ikemgr.log
2022-01-29 13:11:32
2022-01-29 13:11:32.000 -0800 [PWRN]: { : 28}: phase-2 sa purge mismatch SPI:0x00000000/0xCE0E23E8.
ikemgr.log
2022-01-29 13:39:57
2022-01-29 13:39:57.766 -0800 [INFO]: { 15: }: initiate negotiation to dynamic peer from IKE gateway Azure01-IKE is not allowed.

Re: IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.

S.Cantwell — Tue, 08 Feb 2022 15:55:19 GMT

Setup a VPN tunnel monitoring profile, which will provide pings at a 5 sec intervals, to keep the tunnel up.

Re: IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.

RishiLama — Fri, 11 Feb 2022 20:58:15 GMT

Hi Steve, Thanks for the response. The issue is now resolved by activating Passive mode on Non dymantic firewall gateway. The remote gateway had dymanic IP address.

topic Re: IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure. in General Topics

IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.

Re: IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.

Re: IPSEC tunnel Intermittent disconnect between onprime PA-5250 and and VM PA hosted on Azure.