https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32655#M23917 <HTML><HEAD></HEAD><BODY><P>this was the problem </P><P>thanks</P><P></P><P></P><P><A class="loading" href="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530" title="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530">http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530</A></P></BODY></HTML> Thu, 30 Jul 2015 17:58:39 GMT SOC_CSG 2015-07-30T17:58:39Z https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32653#M23915 <HTML><HEAD></HEAD><BODY><P>Hi, we have configured a VPN site-to-site between Juniper SSG and PA3020. The tunnel is flapping up/down. The VPN is well-configured and we have configured VPN monitor with Rekey option in the SSG.&nbsp; How could we know why the tunnel is flapping all the time???&nbsp; i attached the PA logs</P><P></P><P>2015-07-30 16:52:11 [PROTO_NOTIFY]: ====&gt; PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) &lt;====</P><P>====&gt; Established SA: 116.x.x.x[500]-121.x.x.x[500] message id:0xF6C5386E, SPI:0xB9D02A28/0x598B9BDB &lt;====</P><P>2015-07-30 16:52:11 [INFO]: SADB_UPDATE ul_proto=255 src=121.x.x.x[500] dst=<SPAN style="font-size: 13.3333330154419px;">116.x.x.x</SPAN>[500] satype=ESP samode=tunl spi=0xB9D02A28 authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0</P><P>2015-07-30 16:52:11 [INFO]: SADB_ADD ul_proto=255 src=<SPAN style="font-size: 13.3333330154419px;">116.x.x.x</SPAN>[500] dst=<SPAN style="font-size: 13.3333330154419px;">121.x.x.x</SPAN>[500] satype=ESP samode=tunl spi=0x598B9BDB authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0</P><P>2015-07-30 16:52:11 [INFO]: IPsec-SA established: ESP/Tunnel <SPAN style="font-size: 13.3333330154419px;">121.x.x.x</SPAN>[500]-&gt;<SPAN style="font-size: 13.3333330154419px;">116.x.x.x</SPAN><SPAN style="font-size: 13.3333330154419px;">[500]</SPAN>[500] spi=3117427240(0xb9d02a28)</P><P>2015-07-30 16:52:11 [PROTO_NOTIFY]: ====&gt; IPSEC KEY INSTALLATION SUCCEEDED &lt;====</P><P>====&gt; Installed SA: <SPAN style="font-size: 13.3333330154419px;">116.x.x.x</SPAN>[500]-<SPAN style="font-size: 13.3333330154419px;">121.x.x.x</SPAN>[500] SPI:0xB9D02A28/0x598B9BDB lifetime 3600 Sec lifesize unlimited &lt;====</P><P>2015-07-30 16:52:11 [INFO]: keymirror add start ++++++++++++++++</P><P>2015-07-30 16:52:11 [INFO]: keymirror add for gw e, tn 20, selfSPI B9D02A28, retcode 0.</P><P>[PROTO_NOTIFY]: ====&gt; IPSEC KEY DELETED &lt;====</P></BODY></HTML> Thu, 30 Jul 2015 15:20:54 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32653#M23915 SOC_CSG 2015-07-30T15:20:54Z https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32654#M23916 <HTML><HEAD></HEAD><BODY><P>Could you please provide a output of the command</P><P>tail lines 300 mp-log ikemgr.log</P><P></P><P>Run the above command when rekey is happening. Also make sure that lifetime is matching on both side for both phases.</P><P></P><P>Phase 2 lifetime should be less than phase 1 lifetime.</P></BODY></HTML> Thu, 30 Jul 2015 16:15:16 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32654#M23916 pankaku 2015-07-30T16:15:16Z https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32655#M23917 <HTML><HEAD></HEAD><BODY><P>this was the problem </P><P>thanks</P><P></P><P></P><P><A class="loading" href="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530" title="http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530">http://kb.juniper.net/InfoCenter/index?page=content&amp;id=KB8530</A></P></BODY></HTML> Thu, 30 Jul 2015 17:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-flapping/m-p/32655#M23917 SOC_CSG 2015-07-30T17:58:39Z