https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314769#M81162 <P>We had an incident where we have site to site VPNs coming into the Palo.&nbsp; The connection dropped and they would not come backup, even after dropping the VPN on both devices.&nbsp; The end result was a reboot of the firewall and it came back up.&nbsp; What I saw in the logs is pasted below.&nbsp; Customer support just said "As we can see from the Ike manager logs the firewall is receiving the first packet for IKE negotiation which accepts and sends the response but its not getting the reply."&nbsp; Both sides could ping each other.&nbsp;</P><P>&nbsp;</P><P>Ideas?</P><P>************</P><P>====&gt; PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE &lt;====<BR />====&gt; Failed SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 &lt;==== Due to timeout.<BR />&#27;[7m2020-03-05&#27;[27m 04:23:39.000 -0600 [INFO]: { 4: }: ====&gt; PHASE-1 SA DELETED &lt;====<BR />====&gt; Deleted SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 &lt;====<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.974 -0600 [PNTF]: { 4: }: ====&gt; PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE &lt;====<BR />====&gt; Initiated SA: 4[500] cookie:1589d0bc1ca8cedd:b61975bbe41105ad &lt;====<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: RFC 3947<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02</P><P>&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: Selected NAT-T version: RFC 3947<BR />&#27;[7m2020-03-05&#27;[27m 04:23:50.974 -0600 [INFO]: the packet is retransmitted from [500].</P><P>&nbsp;</P> Thu, 05 Mar 2020 18:52:09 GMT ShaunaYelverton 2020-03-05T18:52:09Z https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314769#M81162 <P>We had an incident where we have site to site VPNs coming into the Palo.&nbsp; The connection dropped and they would not come backup, even after dropping the VPN on both devices.&nbsp; The end result was a reboot of the firewall and it came back up.&nbsp; What I saw in the logs is pasted below.&nbsp; Customer support just said "As we can see from the Ike manager logs the firewall is receiving the first packet for IKE negotiation which accepts and sends the response but its not getting the reply."&nbsp; Both sides could ping each other.&nbsp;</P><P>&nbsp;</P><P>Ideas?</P><P>************</P><P>====&gt; PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE &lt;====<BR />====&gt; Failed SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 &lt;==== Due to timeout.<BR />&#27;[7m2020-03-05&#27;[27m 04:23:39.000 -0600 [INFO]: { 4: }: ====&gt; PHASE-1 SA DELETED &lt;====<BR />====&gt; Deleted SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 &lt;====<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.974 -0600 [PNTF]: { 4: }: ====&gt; PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE &lt;====<BR />====&gt; Initiated SA: 4[500] cookie:1589d0bc1ca8cedd:b61975bbe41105ad &lt;====<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: RFC 3947<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02</P><P>&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00<BR />&#27;[7m2020-03-05&#27;[27m 04:23:42.975 -0600 [INFO]: { 4: }: Selected NAT-T version: RFC 3947<BR />&#27;[7m2020-03-05&#27;[27m 04:23:50.974 -0600 [INFO]: the packet is retransmitted from [500].</P><P>&nbsp;</P> Thu, 05 Mar 2020 18:52:09 GMT https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314769#M81162 ShaunaYelverton 2020-03-05T18:52:09Z https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314797#M81167 <P>What version are you running?&nbsp; The 8.1.13 release has a fix for a huge memory leak that causes symptoms very similar to if not exactly what you are experiencing.</P> Thu, 05 Mar 2020 20:27:14 GMT https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314797#M81167 jeremy.larsen 2020-03-05T20:27:14Z https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314902#M81178 <P>In case anyone else is configuring PAN to Sonicwall this is how we configured. The tunnel interfaces were significantly slower and did not re-establish communication.</P><P>&nbsp;</P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/API-Articles/Create-a-VPN-from-Palo-Alto-to-Sonicwall/ta-p/55309" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/API-Articles/Create-a-VPN-from-Palo-Alto-to-Sonicwall/ta-p/55309</A><BR /></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 06 Mar 2020 13:13:02 GMT https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314902#M81178 ShaunaYelverton 2020-03-06T13:13:02Z https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314903#M81179 <P>We are running 9.0.5, it was a misconfiguration of the tunnel between the Sonicwalls and Palo.&nbsp; They stayed up for over a week though.&nbsp; Thanks for the update.</P><P>&nbsp;</P> Fri, 06 Mar 2020 13:37:35 GMT https://live.paloaltonetworks.com/t5/general-topics/all-site-to-site-tunnels-drop/m-p/314903#M81179 ShaunaYelverton 2020-03-06T13:37:35Z