https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166488#M53344 <P>Hi,</P><P>&nbsp;</P><P>Any particular clients facing this&nbsp;issue?&nbsp;</P> Fri, 14 Jul 2017 08:14:51 GMT TranceforLife 2017-07-14T08:14:51Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166479#M53342 <P>We have a setup with a primary PA firewall 1 that pass through Globalprotect VPN traffic to a second PA firewall 2. We've seen sporadic connection problems when connecting a Globalprotect client. Sometimes it can spend up to 2 minutes to establish the VPN. When these connection problems occur firewall 1 will log unknown-udp on port 4501. Besides allowing any application with service ports in the Globalprotect policy, is it possible to improve reliability when using ipsec application?</P> Fri, 14 Jul 2017 07:19:16 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166479#M53342 Trond.Olsen 2017-07-14T07:19:16Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166488#M53344 <P>Hi,</P><P>&nbsp;</P><P>Any particular clients facing this&nbsp;issue?&nbsp;</P> Fri, 14 Jul 2017 08:14:51 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166488#M53344 TranceforLife 2017-07-14T08:14:51Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166720#M53378 <P>This is on Windows 64-bit using the latest client software.</P> Mon, 17 Jul 2017 08:25:58 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166720#M53378 Trond.Olsen 2017-07-17T08:25:58Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166836#M53390 <P>Hi,</P><P>&nbsp;</P><P>It is hard to conclude based on this info. In your GP policy, do you have services as "any" or "application-default"? Do you have an&nbsp;ability to raise the TAC case providing them with the PCAP from the firewall when the issue is visible?</P> Mon, 17 Jul 2017 18:27:23 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166836#M53390 TranceforLife 2017-07-17T18:27:23Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166873#M53397 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37017">@Trond.Olsen</a>,</P><P>This should be a fairly stable signature; I would raise a case with TAC and see if they could work with you on it.&nbsp;</P> Mon, 17 Jul 2017 20:15:44 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166873#M53397 BPry 2017-07-17T20:15:44Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166944#M53402 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37163">@TranceforLife</a><BR />Policy was initially configured with default-application. We've experienced better reliabilty using service ports instead. Still get sporadic VPN connections thats logged as unknown-udp on port 4501 though but it working.</P><P>&nbsp;</P><P>Also forgot to mention that there is a destination NAT policy involved.<BR /><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a><BR />Its a bit hard to do packet capture since vpn connections generate so much data. We've got no reliable way to reproduce unknown-udp application detection. But I'll keep it in mind in case we have do to some further digging.</P> Tue, 18 Jul 2017 06:24:25 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166944#M53402 Trond.Olsen 2017-07-18T06:24:25Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166988#M53408 <P>Hi,</P><P>&nbsp;</P><P>l don't think DNAT should or causing issues. If application is identified incorrectly (unknown-udp it is also app within the database) then TAC case is the next destination <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span> Please post the outcome&nbsp;</P> Tue, 18 Jul 2017 12:03:32 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/166988#M53408 TranceforLife 2017-07-18T12:03:32Z https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/188901#M57267 <P>An update: This was a hard to replicate APP-ID misidentification but got fixed in content update 752-4343.</P><P>&nbsp;</P> Tue, 28 Nov 2017 09:33:31 GMT https://live.paloaltonetworks.com/t5/general-topics/unstable-ipsec-detection-for-ipsec-esp-udp-application-when/m-p/188901#M57267 Trond.Olsen 2017-11-28T09:33:31Z