https://live.paloaltonetworks.com/t5/general-topics/frequent-re-keying-of-ipsec-tunnels/m-p/78070#M42808 <P>When I look under Monitor -&gt; Logs -&gt; System, I see the following:</P> <P>&nbsp;</P> <P>1. ipsec-key-delete: IPSec key deleted. &nbsp;Deleted SA &lt;SA info&gt; SPI:&lt;hex dump&gt;</P> <P>2. ike-nego-p2-succ: IKE phase-2 negotiation is succeeded as responder, quick mode. &nbsp;Established SA &lt;SA info&gt; SPI: &lt;hex dump&gt;</P> <P>3. ipsec-key-install: IPSec key installed. &nbsp;Installed SA &lt;SA info&gt; SPI: &lt;hex dump&gt;</P> <P>&nbsp;</P> <P>We have several site to site tunnels on this firewall, some of them with multiple proxy id's. &nbsp;If I filter based on one specific proxy id, I see it going through this process frequently. &nbsp;Sometimes it is multiple times per minute, sometimes it goes ~5 minutes or so. &nbsp;The same occurs for numerous other proxy id's.</P> <P>&nbsp;</P> <P>Is this something to be concerned about? It seems that I'm receiving delete messages that correspond to this behavior:</P> <P>&nbsp;</P> <P>ike-recv-p2-delete: IKE protocol IPSec SA delete message received from peer. &nbsp;SPI: &lt;hex dump&gt;</P> Fri, 13 May 2016 17:54:35 GMT PatrickWalton 2016-05-13T17:54:35Z https://live.paloaltonetworks.com/t5/general-topics/frequent-re-keying-of-ipsec-tunnels/m-p/78070#M42808 <P>When I look under Monitor -&gt; Logs -&gt; System, I see the following:</P> <P>&nbsp;</P> <P>1. ipsec-key-delete: IPSec key deleted. &nbsp;Deleted SA &lt;SA info&gt; SPI:&lt;hex dump&gt;</P> <P>2. ike-nego-p2-succ: IKE phase-2 negotiation is succeeded as responder, quick mode. &nbsp;Established SA &lt;SA info&gt; SPI: &lt;hex dump&gt;</P> <P>3. ipsec-key-install: IPSec key installed. &nbsp;Installed SA &lt;SA info&gt; SPI: &lt;hex dump&gt;</P> <P>&nbsp;</P> <P>We have several site to site tunnels on this firewall, some of them with multiple proxy id's. &nbsp;If I filter based on one specific proxy id, I see it going through this process frequently. &nbsp;Sometimes it is multiple times per minute, sometimes it goes ~5 minutes or so. &nbsp;The same occurs for numerous other proxy id's.</P> <P>&nbsp;</P> <P>Is this something to be concerned about? It seems that I'm receiving delete messages that correspond to this behavior:</P> <P>&nbsp;</P> <P>ike-recv-p2-delete: IKE protocol IPSec SA delete message received from peer. &nbsp;SPI: &lt;hex dump&gt;</P> Fri, 13 May 2016 17:54:35 GMT https://live.paloaltonetworks.com/t5/general-topics/frequent-re-keying-of-ipsec-tunnels/m-p/78070#M42808 PatrickWalton 2016-05-13T17:54:35Z https://live.paloaltonetworks.com/t5/general-topics/frequent-re-keying-of-ipsec-tunnels/m-p/78260#M42877 <P>Phase 2 (Each proxy ID) should be negotiated according to the key lifetime, so if in one side it's set to 5 minutes that's normal. You don't usually want to re-ley that often, if you're receiving delete messages the re-keys need to be troubleshooted in the side deleting the SA. If the other side it's also a palo alto a rekey can be triggered if tunnel monitoring is detected as "down",</P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Understanding-behavior-of-PBF-and-Tunnel-monitoring-probes/ta-p/68666" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Understanding-behavior-of-PBF-and-Tunnel-monitoring-probes/ta-p/68666</A></P> <P>&nbsp;</P> <P>You can check the remaining lifetime for your Phases 2 with the following command,</P> <P>&gt;show vpn flow.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,&nbsp;</P> <P>Gerardo.</P> Wed, 18 May 2016 03:57:34 GMT https://live.paloaltonetworks.com/t5/general-topics/frequent-re-keying-of-ipsec-tunnels/m-p/78260#M42877 glastra1 2016-05-18T03:57:34Z