topic Re: IPSEC phase 2 rekey in General Topics

IPSEC phase 2 rekey

Sigma — Tue, 10 Feb 2015 17:25:54 GMT

We are having problems with a site to site IPSEC VPN between a PA-500 and a Cisco ASA. The PA is always the initiator and the tunnel comes up and passes traffic just fine. The problem comes when the tunnel needs to rekey, basically it seems that the PA does not bother to renegotiate until between 30 and 120 seconds of the lifetime remains. Now this is fine if the lifetime is 10 minutes or less but in reality it works out that with a sensible lifetime in place the Cisco has dropped the Phase 2 tunnel (at 95% of the lifetime) long before the PA tries to rekey.

When the lifetime is set to a short time (12 minutes) the PA log shows either side initiating the negotiation depending on whether the PA has done it by 95% of lifetime or not. When the lifetime is longer the PA does not log any attempt by the ASA to initiate the negotiation - it seems almost as if it ignores any attempt to rekey if it falls outside of its window.

Can anyone confirm what the Palo Alto policy is regarding IPSEC phase 2 tunnel rekey? Is anyone else having this problem?

Thanks

Karl

Re: IPSEC phase 2 rekey

oklier — Tue, 10 Feb 2015 22:49:20 GMT

Hello Karl,

The best advice I can give is make sure your timeout values are identical on both devices. If you have say 8 hours on the PAN make sure its 8 hours on the Cisco. I think Cisco uses seconds so there may be some math involved. But make sure the phase 1 and 2 setting sare identical on both sides. I have VPNs from my PAN's tothe following other types of VPNs and they are all functional:

McAfee Next Gen Firewall

Cisco ASA

Palo Alto

Juniper

All phases have to match otherwise you may not even establish in the first place. So if you change one side, you have to change the other.

Hope this helps.

Re: IPSEC phase 2 rekey

ericv — Fri, 20 Feb 2015 07:11:42 GMT

We found some VPN stability issues when having an IPSec VPN to a Cisco ASA with DPD being enabled. We found intermittent disconnects as DPD was detecting the peer as "down" when it was not. I know DPD is part of phase 1 and not phase 2 but it is something you may want to test disabling.

Re: IPSEC phase 2 rekey

mmmccorkle — Fri, 20 Feb 2015 17:11:17 GMT

Sigma,

In regards to your note on the missing logs, I would imagine we would see something, even if it fails as the responder.

Can you verify if there is any dropped packets on the firewall coming from that ASA?

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

Re: IPSEC phase 2 rekey

glitch — Wed, 03 Feb 2016 12:16:56 GMT

I am having the exact same problems. Also ASA in the other end.

We have tried disable DPD and pfs from IPsec.Still unstable.

We are running version 6.1.7

Has it been fixed in 6.1.9 or 7.0.4?

Re: IPSEC phase 2 rekey

glitch — Thu, 04 Feb 2016 09:42:25 GMT

I think we found a solution istead of defining IPSEC lifetime in 1 hour we set is as 3600 seconds instead.

Re: IPSEC phase 2 rekey

AnupamGaur_Nomios — Wed, 26 Jun 2024 17:52:17 GMT

1 hour = 3600 seconds , so what is the difference ?