topic Re: SA of the tunnel is Active in General Topics

SA of the tunnel is Active

Sujanya — Wed, 18 Jan 2023 16:35:32 GMT

Hi Team,

Can anybody tell the meaning of "What it means if the SA of the tunnel is up "?, Does it mean there is live communication in the tunnel.

Re: SA of the tunnel is Active

Raido_Rattameister — Wed, 18 Jan 2023 17:20:41 GMT

Palo does not try to negotiate tunnel if there is no interesting traffic so tunnel stays down.

Do you see which side is initiator in System log?

Do you have any monitoring configured (on static route for example in virtual router) that might generate traffic that traverses tunnel?

Re: SA of the tunnel is Active

Adrian_Jensen — Thu, 19 Jan 2023 02:32:29 GMT

The SA is the Security Association - basically the unique encryption key identifier that secures the connection. There is an SA for the IKE connection (phase 1) and one or more SAs for the IPSec connection (phase 2, each data stream). There also may be multiple SAs active when the current SA is about to expire, a new SA may be negotiated prior to the old being deleted. An SA being up means that encryption key has been negotiated between the two sides of the tunnel.

It is easier to just look at the IKE Info and Tunnel Info indications under Network->IPSec Tunnels, but you can see the individual SAs by looking in the system logs at Monitor->Logs->System and filtering by the IKE/IPSec tunnel object. You should see the SA setup and deletions.

Negotiate phase 1 SA:

ike-nego-p1-start - IKE phase-1 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef

ike-nego-p1-succ - IKE phase-1 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef

Negotiate phase 2 SA:

ike-nego-p2-start - IKE phase-2 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D

ike-nego-p2-succ - IKE phase-2 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D SPI:0x1A2B3C4D/0x56AB78CD

ipsec-key-install - IPSec key installed. Installed SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD

Expire and remove the pahse 2 SA:

ipsec-key-expire - IPSec key lifetime expired. Expired SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD

ike-nego-p2-delete - IKE protocol IPSec SA delete message sent to peer SPI:0x1A2B3C4D

Re: SA of the tunnel is Active

Sujanya — Thu, 19 Jan 2023 07:18:24 GMT

Hi @Raido_Rattameister / @Adrian_Jensen ,

Thanks for the response. I can see the multiple active SA information from the firewall CLI and default vpn monitoring is configured to the tunnel. But there are no live event logs and also there is no traffic hits on the policy we are observing.

Re: SA of the tunnel is Active

Adrian_Jensen — Thu, 19 Jan 2023 16:42:52 GMT

Do you have a route pointing your destination traffic to the tunnel or IP on the tunnel? If you look at Network->IPSec Tunnels->[tunnel]->Tunnel Info do you see the counters for packets/data encapsulated and decapsulated increasing? Every packet you successfully send across the VPN should increase the encapsulated count, every packet you receive from the far end should increase the decapsulated count.

If you don't see any association in the Tunnel Info window then you don't have any valid phase 2 SAs. If your encapsulated count is zero then you are not successfully routing traffic out the IPSec tunnel (or your Security Policies are blocking it). If the decapsulated count is zero then the far side is not sending you any packets.

Re: SA of the tunnel is Active

Sujanya — Fri, 20 Jan 2023 12:39:15 GMT

Hi @Adrian_Jensen ,

Thanks for the response and will check on the above.

Re: SA of the tunnel is Active

Sujanya — Wed, 01 Feb 2023 06:35:57 GMT

Hi @Adrian_Jensen ,

I can see the encapsulation count as zero, but the decapsulation count is increasing continuously. VPN monitor is disabled at both the end.
There is no interesting traffic observed in the monitoring traffic logs.

Re: SA of the tunnel is Active

Raido_Rattameister — Wed, 01 Feb 2023 14:24:12 GMT

Check what is tunnel interface for this VPN tunnel (you see that under Network > IPSec Tunnels).

Let's assume it is 17.

Go to Monitor > Traffic and use filter below.

( interface eq tunnel.17 )

Anything comes up?

Re: SA of the tunnel is Active

Sujanya — Thu, 02 Feb 2023 06:04:13 GMT

Hi @Raido_Rattameister ,

Thanks for the filter. Yes I can see 'ping' and 'snmp' related traffics.