topic Re: IPSec VPN Issue in General Topics

IPSec VPN Issue

Retired Member — Fri, 16 Dec 2011 13:48:30 GMT

Hi,

on a PA 2020 running 4.1.0 is a VPN Gateway configured. A client PA 500 running 4.1.0 with dynamic WAN IP is configured as peer. Both devices can reach each other. In system log is a succesfull phase 1 and phase 2 and a succesfull ipsec connection. After that, a IPSec SA delete message appears and the IPSec key will be deleted. From this time the connection starts again with phase 2.

Does anyone have any ideas?

Regards from Germany

Robert

(newest log entries first)

IPSec key deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0xBF6E041B/0xCCA91B0D.

IKE protocol IPSec SA delete message sent to peer. SPI:0xBF6E041B.

IPSec key installed. Installed SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0x993E8A98/0xB4BA9B3F lifetime 3600 Sec lifesize unlimited.

IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x3C2F0929, SPI:0x993E8A98/0xB4BA9B3F.

IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x3C2F0929.

IPSec key deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5.

IKE protocol IPSec SA delete message sent to peer. SPI:0xF09CB8C7.

IPSec key installed. Installed SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0xBF6E041B/0xCCA91B0D lifetime 3600 Sec lifesize unlimited.

IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x921F14E7, SPI:0xBF6E041B/0xCCA91B0D.

IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x921F14E7.

IPSec key deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0xE56D34C4/0xBC5294AA.

IKE protocol IPSec SA delete message sent to peer. SPI:0xE56D34C4.

IPSec key installed. Installed SA: 217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5 lifetime 3600 Sec lifesize unlimited.

IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x593A6173, SPI:0xF09CB8C7/0xFDD307C5.

IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500] message id:0x593A6173.

Re: IPSec VPN Issue

gsteiner — Mon, 19 Dec 2011 11:13:49 GMT

do you have a Monitor configured too? I tough I read something about a problem with ipsec and monitors.

Re: IPSec VPN Issue

Retired Member — Fri, 02 Mar 2012 12:51:31 GMT

Hello Robert,

does your problem still exist? Do you have a solution?

I have the same problem with a vpn tunnel to/from a AVM Fritzbox 7330. The problem only occur when the tunnel monitor is active.

Our PA2050 is running software version 4.1.3 .

Any ideas or solutions????

Kind regards,

Sascha

Re: IPSec VPN Issue

tobias — Fri, 27 Apr 2012 08:36:37 GMT

Hi,

i had excactly the same Problem today morning. Since the VPN setup wasn't productive yet i decided to delete the complete ipsec and ike setup for the vpns having this problem, before opening a case with Palo Alto Networks.

That did the trick. The vpns are now stable. My assumption is that this had to do with the upgrade from 4.0.5 to 4.1.3, because the vpns where created before the upgrade and every vpn i created after the upgrade also work fine. The Problem did not affect every vpn. Out of about 30 vpns only two where affected.

Hope this helps sombody

Re: IPSec VPN Issue

mikand — Sat, 28 Apr 2012 11:22:16 GMT

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

Re: IPSec VPN Issue

tobias — Mon, 30 Apr 2012 11:58:41 GMT

Hi,

mikand wrote:

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

well, i had a look on the config before and after and i see quite some differences in the config ouput. I don't know if this is relevant but the information in the config is the same, but the order in which this is configured is different. I have attached a textfile where you can see the diffences.