PAN-OS 8.0.5 sending continuous delete and create for IPSec SA

HITESHHAPANI — Wed, 17 Jun 2020 08:59:05 GMT

PA is sending continuous delete create every 3 seconds. It can be seen from the PA logs that SPI 0xAFD67238/0xC436E70E created at time 2020-06-13 05:50:55.230 and PA became responder for established child SA. For some strange reason PA again triggers child sa creation at 2020-06-13 05:50:55.968 for SPI 0x965504AB/0xCA05A690 and delete older SPI and this keeps on going every 3 seconds. Following are the PA logs for one iteration.

2020-06-13 05:50:51.000 -0700 [DEBG]: 10.15.28.171[500] - 10.15.30.30[500]:(nil) 1 times of 76 bytes message will be sent over socket 1024
2020-06-13 05:50:51.008 -0700 [DEBG]: ===
2020-06-13 05:50:51.008 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[500]
2020-06-13 05:50:51.008 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:50:51.008 -0700 [DEBG]: { 1: }: update response message_id 0x2
2020-06-13 05:50:55.098 -0700 [DEBG]: ===
2020-06-13 05:50:55.098 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[500]
2020-06-13 05:50:55.098 -0700 [DEBG]: { 1: }: request exch type 37
2020-06-13 05:50:55.098 -0700 [DEBG]: { 1: }: update request message_id 0x0
2020-06-13 05:50:55.098 -0700 [INFO]: { 1: }: received DELETE payload, gateway ike-vpn-10-15-20-168 SA state ESTABLISHED, SPI 8c37416b7bb4a516:0071235c13808317
2020-06-13 05:50:55.099 -0700 [INFO]: { 1: }: 10.15.28.171[500] - 10.15.30.30[500]:(nil) closing IKEv2 SA ike-vpn-10-15-20-168:591, code 7
2020-06-13 05:50:55.099 -0700 [DEBG]: { 1: }: SA dying from state ESTABLISHED, caller ikev2_abort
2020-06-13 05:50:55.099 -0700 [DEBG]: { 1: }: keeping retransmit while state changed to DYING, CID 25360, child 0x7fffe4004c30
2020-06-13 05:50:55.099 -0700 [PNTF]: { 1: 1}: ====> IPSEC KEY DELETED; tunnel ipsec-tunnel-10-15-20-168 <====
====> Deleted SA: 10.15.28.171[500]-10.15.30.30[500] SPI:0xA2285B6E/0xC7736EAB <====
2020-06-13 05:50:55.099 -0700 [INFO]: { 1: 1}: SADB_DELETE proto=255 src=10.15.30.30[0] dst=10.15.28.171[0] ESP spi=0xA2285B6E
2020-06-13 05:50:55.099 -0700 [DEBG]: { 1: }: SA deleted: state DYING, caller ikev2_abort
2020-06-13 05:50:55.099 -0700 [DEBG]: { 1: }: stop retransmit for sa 0x7fffe4004c30 (DEAD), CID 25360, child 0x7fffe4004c30
2020-06-13 05:50:55.099 -0700 [DEBG]: 10.15.28.171[500] - 10.15.30.30[500]:(nil) 1 times of 76 bytes message will be sent over socket 1024
2020-06-13 05:50:55.208 -0700 [DEBG]: ===
2020-06-13 05:50:55.208 -0700 [DEBG]: 510 bytes message received from 10.15.30.30[500]
2020-06-13 05:50:55.208 -0700 [INFO]: { 1: }: received IKE request 10.15.30.30[500] to 10.15.28.171[500], found IKE gateway ike-vpn-10-15-20-168
2020-06-13 05:50:55.208 -0700 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway ike-vpn-10-15-20-168 <====
====> Initiated SA: 10.15.28.171[500]-10.15.30.30[500] SPI:fab08f9e0ddf3aa6:41ed5325d7d82a03 SN:592 <====
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: received Notify type NAT_DETECTION_SOURCE_IP
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: received Notify type NAT_DETECTION_DESTINATION_IP
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: received Notify type 16430
2020-06-13 05:50:55.209 -0700 [PWRN]: { 1: }: 10.15.28.171[500] - 10.15.30.30[500]:0xa1c870 ignoring unauthenticated notify payload (16430)
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: received Notify type 16431
2020-06-13 05:50:55.209 -0700 [PWRN]: { 1: }: 10.15.28.171[500] - 10.15.30.30[500]:0xa1c870 ignoring unauthenticated notify payload (16431)
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: received Notify type 16406
2020-06-13 05:50:55.209 -0700 [PWRN]: { 1: }: 10.15.28.171[500] - 10.15.30.30[500]:0xa1c870 ignoring unauthenticated notify payload (16406)
2020-06-13 05:50:55.209 -0700 [DEBG]: proposal #1 len=44
2020-06-13 05:50:55.209 -0700 [DEBG]: proposal #2 len=44
2020-06-13 05:50:55.209 -0700 [DEBG]: proposal #3 len=44
2020-06-13 05:50:55.209 -0700 [DEBG]: proposal #4 len=44
2020-06-13 05:50:55.209 -0700 [DEBG]: proposal #5 len=44
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: see whether there's matching transform
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: found same ID. compare attributes
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: OK; advance to next of my transform type
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: see whether there's matching transform
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: found same ID. compare attributes
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: OK; advance to next of my transform type
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: see whether there's matching transform
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: found same ID. compare attributes
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: OK; advance to next of my transform type
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: see whether there's matching transform
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: found same ID. compare attributes
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: OK; advance to next of my transform type
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: success
2020-06-13 05:50:55.209 -0700 [DEBG]: { 1: }: update request message_id 0x0
2020-06-13 05:50:55.209 -0700 [DEBG]: 10.15.28.171[500] - 10.15.30.30[500]:(nil) 1 times of 304 bytes message will be sent over socket 1024
2020-06-13 05:50:55.228 -0700 [DEBG]: ===
2020-06-13 05:50:55.228 -0700 [DEBG]: 268 bytes message received from 10.15.30.30[4500]
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: received notify type MOBIKE_SUPPORTED
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: received notify type NO_ADDITIONAL_ADDRESSES
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: received notify type EAP_ONLY_AUTHENTICATION
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: received notify type 16420
2020-06-13 05:50:55.228 -0700 [INFO]: { 1: }: 10.15.28.171[4500] - 10.15.30.30[4500]:0x7fffe4002df0 authentication result: success
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: ikev2_process_child_notify(0x7fffe4006bec, 0x7fffeb50aa60), notify type MOBIKE_SUPPORTED
2020-06-13 05:50:55.228 -0700 [PWRN]: { 1: }: 16396 is not a child notify type
2020-06-13 05:50:55.228 -0700 [INFO]: { 1: }: received Notify payload protocol 0 type MOBIKE_SUPPORTED
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: ikev2_process_child_notify(0x7fffe4006bf4, 0x7fffeb50aa60), notify type NO_ADDITIONAL_ADDRESSES
2020-06-13 05:50:55.228 -0700 [PWRN]: { 1: }: 16399 is not a child notify type
2020-06-13 05:50:55.228 -0700 [INFO]: { 1: }: received Notify payload protocol 0 type NO_ADDITIONAL_ADDRESSES
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: ikev2_process_child_notify(0x7fffe4006bfc, 0x7fffeb50aa60), notify type EAP_ONLY_AUTHENTICATION
2020-06-13 05:50:55.228 -0700 [PWRN]: { 1: }: 16417 is not a child notify type
2020-06-13 05:50:55.228 -0700 [INFO]: { 1: }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION
2020-06-13 05:50:55.228 -0700 [DEBG]: { 1: }: ikev2_process_child_notify(0x7fffe4006c04, 0x7fffeb50aa60), notify type 16420
2020-06-13 05:50:55.229 -0700 [PWRN]: { 1: }: 16420 is not a child notify type
2020-06-13 05:50:55.229 -0700 [INFO]: { 1: }: received Notify payload protocol 0 type 16420
2020-06-13 05:50:55.229 -0700 [DEBG]: proposal #1 len=40
2020-06-13 05:50:55.229 -0700 [DEBG]: proposal #2 len=40
2020-06-13 05:50:55.229 -0700 [PNTF]: { 1: }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway ike-vpn-10-15-20-168 <====
====> Initiated SA: 10.15.28.171[4500]-10.15.30.30[4500] message id:0x00000001 parent SN:592 <====
2020-06-13 05:50:55.229 -0700 [WARN]: { 1: 1}: selector ipsec-tunnel-10-15-20-168 src is ambiguous, using the first one of the expanded addresses
2020-06-13 05:50:55.229 -0700 [WARN]: { 1: 1}: selector ipsec-tunnel-10-15-20-168 dst is ambiguous, using the first one of the expanded addresses
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: TS matching for configured selector ipsec-tunnel-10-15-20-168 0.0.0.0[0]/0-0.0.0.0[0]/0 proto 0
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: .. check local TS (num 1, TS0 is not specific) against selector 0:0.0.0.0[0]/0
2020-06-13 05:50:55.229 -0700 [DEBG]: { : 1}: ... TS 0: exact match
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: ... result: local TS = 0.0.0.0[0]/0
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: .. check remote TS (num 1, TS0 is not specific) against selector 0:0.0.0.0[0]/0
2020-06-13 05:50:55.229 -0700 [DEBG]: { : 1}: ... TS 0: exact match
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: ... result: remote TS = 0.0.0.0[0]/0
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: TS matching result: TS_l match(=), TS_r match(=) *
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: selector chosen ipsec-tunnel-10-15-20-168: tid 1
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: success
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: success
2020-06-13 05:50:55.229 -0700 [INFO]: { 1: 1}: SADB_UPDATE proto=255 10.15.30.30[4500]=>10.15.28.171[4500] ESP tunl spi 0xAFD67238 auth=SHA1 enc=AES128/16 lifetime soft 1603/0 hard 1801/0
2020-06-13 05:50:55.229 -0700 [INFO]: { 1: 1}: SADB_ADD proto=255 10.15.28.171[4500]=>10.15.30.30[4500] ESP tunl spi 0xC436E70E auth=SHA1 enc=AES128/16 lifetime soft 1610/0 hard 1801/0
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: sadb ts: port 0:65535 IP 0.0.0.0->255.255.255.255 proto:0 len:16
2020-06-13 05:50:55.229 -0700 [DEBG]: { 1: 1}: sadb ts: port 0:65535 IP 0.0.0.0->255.255.255.255 proto:0 len:16
2020-06-13 05:50:55.230 -0700 [PNTF]: { 1: 1}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel ipsec-tunnel-10-15-20-168 <====
====> Installed SA: 10.15.28.171[4500]-10.15.30.30[4500] SPI:0xAFD67238/0xC436E70E lifetime 1801 Sec lifesize unlimited <====
2020-06-13 05:50:55.230 -0700 [PNTF]: { 1: 1}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; tunnel ipsec-tunnel-10-15-20-168 <====
====> Established SA: 10.15.28.171[4500]-10.15.30.30[4500] message id:0x00000001, SPI:0xAFD67238/0xC436E70E parent SN:592 <====
2020-06-13 05:50:55.230 -0700 [DEBG]: { 1: }: SA established: state RES_IKE_AUTH_RCVD, caller ikev2_responder_state1_send, attach 1
2020-06-13 05:50:55.230 -0700 [PNTF]: { 1: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; gateway ike-vpn-10-15-20-168 <====
====> Established SA: 10.15.28.171[4500]-10.15.30.30[4500] SPI:fab08f9e0ddf3aa6:41ed5325d7d82a03 SN:592 lifetime 1500 Sec <====
2020-06-13 05:50:55.231 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 208 bytes message will be sent over socket 1025
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: }: update request message_id 0x1
2020-06-13 05:50:55.231 -0700 [DEBG]: { : 1}: keyacquire received: 10.15.28.171[0] => 10.15.30.30[0]
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: 1}: ikev2_initiate: child_sa created: id 25362
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: 1}: construct TS_r 0.0.0.0 -> 255.255.255.255
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: 1}: construct TS_r :: -> ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: 1}: construct TS_i 0.0.0.0 -> 255.255.255.255
2020-06-13 05:50:55.231 -0700 [DEBG]: { 1: 1}: construct TS_i :: -> ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
2020-06-13 05:50:55.231 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 368 bytes message will be sent over socket 1025
2020-06-13 05:50:55.408 -0700 [DEBG]: ===
2020-06-13 05:50:55.408 -0700 [DEBG]: 284 bytes message received from 10.15.30.30[4500]
2020-06-13 05:50:55.408 -0700 [DEBG]: { 1: }: response exch type 36
2020-06-13 05:50:55.408 -0700 [DEBG]: { 1: }: update response message_id 0x0
2020-06-13 05:50:55.409 -0700 [DEBG]: proposal #1 len=48
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: success
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: see whether there's matching transform
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: found same ID. compare attributes
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: OK; advance to next of my transform type
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: success
2020-06-13 05:50:55.409 -0700 [INFO]: { 1: 1}: SADB_UPDATE proto=255 10.15.30.30[4500]=>10.15.28.171[4500] ESP tunl spi 0x965504AB auth=SHA1 enc=AES128/16 lifetime soft 1543/0 hard 1801/0
2020-06-13 05:50:55.409 -0700 [INFO]: { 1: 1}: SADB_ADD proto=255 10.15.28.171[4500]=>10.15.30.30[4500] ESP tunl spi 0xCA05A690 auth=SHA1 enc=AES128/16 lifetime soft 1506/0 hard 1801/0
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: sadb ts: port 0:65535 IP 0.0.0.0->255.255.255.255 proto:0 len:16
2020-06-13 05:50:55.409 -0700 [DEBG]: { 1: 1}: sadb ts: port 0:65535 IP 0.0.0.0->255.255.255.255 proto:0 len:16
2020-06-13 05:50:55.410 -0700 [PNTF]: { 1: 1}: ====> IPSEC KEY INSTALLATION SUCCEEDED; tunnel ipsec-tunnel-10-15-20-168 <====
====> Installed SA: 10.15.28.171[4500]-10.15.30.30[4500] SPI:0x965504AB/0xCA05A690 lifetime 1801 Sec lifesize unlimited <====
2020-06-13 05:50:55.410 -0700 [PNTF]: { 1: 1}: ====> IKEv2 CHILD SA NEGOTIATION SUCCEEDED AS INITIATOR, non-rekey; tunnel ipsec-tunnel-10-15-20-168 <====
====> Established SA: 10.15.28.171[4500]-10.15.30.30[4500] message id:0x00000000, SPI:0x965504AB/0xCA05A690 parent SN:592 <====
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror del start ----------------
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror del for selfSPI AFD67238, retcode -1.
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror del start ----------------
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror del for selfSPI A2285B6E, retcode 0.
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror add start ++++++++++++++++
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymgr: key insert called.
2020-06-13 05:50:55.968 -0700 [DEBG]: { 1: 1}: keymirror add for selfSPI 965504AB, retcode 0.
2020-06-13 05:50:55.968 -0700 [PNTF]: { 1: 1}: ====> IKEv2 CHILD SA DELETED AS RESPONDER, non-rekey; tunnel ipsec-tunnel-10-15-20-168 <====
====> Deleted SA: 10.15.28.171[4500]-10.15.30.30[4500] message id:0x00000001, SPI:0xAFD67238/0xC436E70E parent SN:592 <====
2020-06-13 05:50:55.969 -0700 [INFO]: { 1: }: ikev2_request_initiator_start: SA state ESTABLISHED type 3 caller ikev2_child_delete
2020-06-13 05:50:55.969 -0700 [INFO]: { 1: }: IKEv2 INFO transmit: gateway ike-vpn-10-15-20-168, message_id: 0x00000001, type 3 SA state ESTABLISHED
2020-06-13 05:50:55.969 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 80 bytes message will be sent over socket 1025
2020-06-13 05:50:55.969 -0700 [PNTF]: { 1: 1}: ====> IPSEC KEY DELETED; tunnel ipsec-tunnel-10-15-20-168 <====
====> Deleted SA: 10.15.28.171[4500]-10.15.30.30[4500] SPI:0xAFD67238/0xC436E70E <====
2020-06-13 05:50:55.969 -0700 [INFO]: { 1: 1}: SADB_DELETE proto=255 src=10.15.30.30[0] dst=10.15.28.171[0] ESP spi=0xAFD67238
2020-06-13 05:50:56.058 -0700 [DEBG]: ===
2020-06-13 05:50:56.058 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[4500]
2020-06-13 05:50:56.058 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:50:56.058 -0700 [DEBG]: { 1: }: update response message_id 0x1
2020-06-13 05:50:56.058 -0700 [INFO]: { 1: }: received DELETE payload, protocol ESP, num of SPI: 1 IKE SA state ESTABLISHED
2020-06-13 05:50:56.058 -0700 [INFO]: { 1: }: delete proto ESP spi 0xC436E70E
2020-06-13 05:50:56.059 -0700 [PWRN]: { 1: }: can't find sa for proto ESP spi 0xC436E70E
2020-06-13 05:51:06.000 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 80 bytes message will be sent over socket 1025
2020-06-13 05:51:06.008 -0700 [DEBG]: ===
2020-06-13 05:51:06.008 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[4500]
2020-06-13 05:51:06.008 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:51:06.008 -0700 [DEBG]: { 1: }: update response message_id 0x2
2020-06-13 05:51:15.748 -0700 [DEBG]: { : 1}: keyacquire received: 10.15.28.171[0] => 10.15.30.30[0]
2020-06-13 05:51:15.748 -0700 [DEBG]: { 1: 1}: 10.15.28.171[0] => 10.15.30.30[0]: key acquire request ignored, SA MATURE
2020-06-13 05:51:16.000 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 80 bytes message will be sent over socket 1025
2020-06-13 05:51:16.008 -0700 [DEBG]: ===
2020-06-13 05:51:16.008 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[4500]
2020-06-13 05:51:16.008 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:51:16.008 -0700 [DEBG]: { 1: }: update response message_id 0x3
2020-06-13 05:51:22.750 -0700 [DEBG]: { : 1}: keyacquire received: 10.15.28.171[0] => 10.15.30.30[0]
2020-06-13 05:51:22.750 -0700 [DEBG]: { 1: 1}: 10.15.28.171[0] => 10.15.30.30[0]: key acquire request ignored, SA MATURE
2020-06-13 05:51:26.000 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 80 bytes message will be sent over socket 1025
2020-06-13 05:51:26.008 -0700 [DEBG]: ===
2020-06-13 05:51:26.008 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[4500]
2020-06-13 05:51:26.008 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:51:26.008 -0700 [DEBG]: { 1: }: update response message_id 0x4
2020-06-13 05:51:28.749 -0700 [DEBG]: { : 1}: keyacquire received: 10.15.28.171[0] => 10.15.30.30[0]
2020-06-13 05:51:28.749 -0700 [DEBG]: { 1: 1}: 10.15.28.171[0] => 10.15.30.30[0]: key acquire request ignored, SA MATURE
2020-06-13 05:51:34.748 -0700 [DEBG]: { : 1}: keyacquire received: 10.15.28.171[0] => 10.15.30.30[0]
2020-06-13 05:51:34.748 -0700 [DEBG]: { 1: 1}: 10.15.28.171[0] => 10.15.30.30[0]: key acquire request ignored, SA MATURE
2020-06-13 05:51:36.000 -0700 [DEBG]: 10.15.28.171[4500] - 10.15.30.30[4500]:(nil) 1 times of 80 bytes message will be sent over socket 1025
2020-06-13 05:51:36.008 -0700 [DEBG]: ===
2020-06-13 05:51:36.008 -0700 [DEBG]: 76 bytes message received from 10.15.30.30[4500]
2020-06-13 05:51:36.008 -0700 [DEBG]: { 1: }: response exch type 37
2020-06-13 05:51:36.008 -0700 [DEBG]: { 1: }: update response message_id 0x5

Re: PAN-OS 8.0.5 sending continuous delete and create for IPSec SA

BPry — Wed, 17 Jun 2020 21:22:06 GMT

@HITESHHAPANI,

8.0 as a whole has hit EOL as of 31-OCT-2019, and 8.0.5 is a really early release in that code branch. I would highly recommend you upgrade to a supported release before you spend any additional time looking into this.

Re: PAN-OS 8.0.5 sending continuous delete and create for IPSec SA

HITESHHAPANI — Wed, 24 Jun 2020 06:28:07 GMT

@BPry Seeing the same issue with 9.0 version also. This thread implies that same issue exists with older PA version also https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-restarts-very-often/td-p/42519

topic Re: PAN-OS 8.0.5 sending continuous delete and create for IPSec SA in General Topics

PAN-OS 8.0.5 sending continuous delete and create for IPSec SA

Re: PAN-OS 8.0.5 sending continuous delete and create for IPSec SA

Re: PAN-OS 8.0.5 sending continuous delete and create for IPSec SA