topic Re: Site 2 Site VPN in General Topics

Site 2 Site VPN

RC-BHF — Sat, 27 May 2017 00:00:05 GMT

We have a S2S VPN set up with a Juniper SRX at a partner site.

The P1 key life time is 8hr and P2 life time is 1hr

We are seeing that the VPN drops quite frequiently. After they have had a look at the logs they are saying that during the re-key phase our end is timeing out.

I am not sure how to get debug logs , we run PAN OS 7.1.7

The have provided some logs from their appliance

++++++++++++++++++++++++++

[May 26 14:59:13 PIC 2/1/0 KMD2]P1 SA 298686138 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.

[May 26 14:59:13 PIC 2/1/0 KMD2]iked_pm_ike_sa_delete_done_cb: For p1 sa index 298686138, ref cnt 2, status: Error ok

[May 26 14:59:13 PIC 2/1/0 KMD2]ike_remove_callback: Start, delete SA = { 9199f4de 2130d33b - 00000000 00000000}, nego = -1

[May 26 14:59:13 PIC 2/1/0 KMD2]185.xx.xx.xx:500 (Initiator) <-> 212.xx.xx.xx:500 { 9199f4de 2130d33b - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]iked_pm_ike_sa_done: UNUSABLE p1_sa 298686138

[May 26 14:59:13 PIC 2/1/0 KMD2] IKEv1 Error : Timeout

[May 26 14:59:13 PIC 2/1/0 KMD2]IPSec Rekey for SPI 0x0 failed

[May 26 14:59:13 PIC 2/1/0 KMD2]IPSec SA done callback called for sa-cfg GT-ike-vpn- local:185.10.xx.xx, remote:212.240.xx.xx IKEv1 with status Timed out

++++++++++++++

Can any one point me in the right direction.

Re: Site 2 Site VPN

TranceforLife — Sat, 27 May 2017 08:34:37 GMT

Do you allow ipsec traffic from another end to your external interface:

185.xx.xx.xx:500 (Initiator) my understanding this is SRX interface? If this ip is initiator make sure you allow above app

Re: Site 2 Site VPN

Remo — Sat, 27 May 2017 09:28:58 GMT

And (or only) application: ike

Do you have drops in the traffic log between your gw ip and the other side?

Re: Site 2 Site VPN

RC-BHF — Mon, 29 May 2017 17:09:44 GMT

Yes I have some dropped traffic comeing from the remote end

What I am unclear of is why does the dest end deemed to be internal , when it is my public IP.

Do I need a new rule to allow this ?

Re: Site 2 Site VPN

TranceforLife — Mon, 29 May 2017 17:17:17 GMT

Interesting. I think l had this before (or very similar issue). Can you please make sure to clear all active sessions from the session browser on your box from the external ip address (SRX):

For sure your destination zone should be External 😉

Re: Site 2 Site VPN

Remo — Mon, 29 May 2017 17:21:31 GMT

I also had a very similar issue where we had dropped packets when a rekey occured. Maybe you should give 7.1.9 (thats the version where the problem was gone in my case) or 7.1.10 a chance ...

Re: Site 2 Site VPN

BPry — Tue, 30 May 2017 15:47:21 GMT

@RC-BHF,

I've noticed this with quite a few ASAs; upgrading to 7.1.9 seems to have fixed the issue for us in our case; before the upgrade I had simply just set the key life to the point where it wouldn't rekey in business hours, kind of a hacky solution but it worked fine until I could upgrade the unit.