https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141313#M48383 <P>PAN-OS says "aged-out". Cisco AnyConnect doesn't even notice that it's been disconnected.</P><P>Everything worked fine in 7.1.7 and earlier.</P><P>&nbsp;</P><P>Btw, it's a PA-200.</P> Mon, 06 Feb 2017 16:51:37 GMT GI-1 2017-02-06T16:51:37Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141210#M48363 <P>Hi.</P><P>&nbsp;</P><P>I've been running PAN-OS 8.0 since release, and immediately got problems with Cisco AnyConnect over IKEv2. Even if the session is very much alive, PAN-OS 8.0 kills it of after a random amount of time, usually a couple of hours.</P><P>&nbsp;</P><P>If I change the AnyConnect policy to use SSL instead, everything runs fine.</P><P>&nbsp;</P><P>PAN-OS 8.0 recognizes AnyConnect over IKEv2 as&nbsp;ipsec-esp-udp. Changing the default timeout to e.g. 86400 seconds changes nothing.</P> Mon, 06 Feb 2017 08:17:49 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141210#M48363 GI-1 2017-02-06T08:17:49Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141237#M48369 <P>Hi</P> <P>&nbsp;</P> <P>does the session indicate why it was terminated (idle, rst, ...) ?</P> Mon, 06 Feb 2017 09:17:05 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141237#M48369 reaper 2017-02-06T09:17:05Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141313#M48383 <P>PAN-OS says "aged-out". Cisco AnyConnect doesn't even notice that it's been disconnected.</P><P>Everything worked fine in 7.1.7 and earlier.</P><P>&nbsp;</P><P>Btw, it's a PA-200.</P> Mon, 06 Feb 2017 16:51:37 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141313#M48383 GI-1 2017-02-06T16:51:37Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141315#M48384 <P>Do you see anything in the Threat logs; it kind of sounds like some security policy is preventing the traffic from passing, hence your age-out response.&nbsp;</P> Mon, 06 Feb 2017 17:13:25 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141315#M48384 BPry 2017-02-06T17:13:25Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141533#M48418 <P>Hi.</P><P>&nbsp;</P><P>No, there's no entries in the threat log with the IP to the AnyConnect server.</P> Tue, 07 Feb 2017 12:22:53 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141533#M48418 GI-1 2017-02-07T12:22:53Z https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141831#M48449 <P>I see now that the apps and threats content release 658 did something to ipsec-esp-udp. I guess that's the culprit, and not necessarily 8.0.</P> Wed, 08 Feb 2017 08:13:45 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-anyconnect-over-ikev2-killed-by-pan-os-8-0/m-p/141831#M48449 GI-1 2017-02-08T08:13:45Z