topic Re: Tunnel times in General Topics

Tunnel times

infotech — Wed, 16 Jul 2014 15:02:37 GMT

I have a tunnel that is up 8 hours and down 16 hours almost consistently any one have any ideas what would cause that?

Re: Tunnel times

HULK — Wed, 16 Jul 2014 15:23:23 GMT

Hello Infotech,

As per the default IKE configuration, IKE phase-1 lifetime is 8 Hrs. So, please make sure that, traffic was passing through the tunnel, else it would be down after the mentioned ( 8 Hrs) lifetime.

Thanks

Re: Tunnel times

infotech — Wed, 16 Jul 2014 15:28:11 GMT

So how am I suppose to check to see if traffic is passing through the tunnel? Also I can't bring it back up no matter what I do

Re: Tunnel times

HULK — Wed, 16 Jul 2014 15:28:48 GMT

Hello Infotech,

The similar parameter is also available for the IPsec-crypto profile. The Default value for phase-2 is 1 Hr. As you have mentioned earlier, the tunnel was down after 8 Hrs. Could you please confirm, whether both Phase-1 and Phase-2 was down or only Phase-2 became down..?

Thanks

Re: Tunnel times

HULK — Wed, 16 Jul 2014 15:31:39 GMT

> show vpn ike-sa gateway

> show vpn flow

>show vpn flow tunnel-id x << where x=id number from above display

Try to bring it UP through TEST VPN command as mentioned below:

> test vpn ike-sa gateway XXXXXX

> test vpn ipsec-sa tunnel XXXXXX

Thanks

Re: Tunnel times

infotech — Wed, 16 Jul 2014 15:43:22 GMT

its up right now so I will have to wait till its down to verify this though I have tried to bring it up with the test command and it fails to come up. But I believe phase 1 comes up but phase 2 fails and I have never heard of phase 3

Re: Tunnel times

HULK — Wed, 16 Jul 2014 15:51:58 GMT

Sorry, it was a typo, it should be Phase-2.

Thanks

Re: Tunnel times

infotech — Wed, 16 Jul 2014 16:37:56 GMT

I will try to bring it up with the test command but in the past it has failed to bring it up

Re: Tunnel times

HULK — Wed, 16 Jul 2014 16:43:10 GMT

Hello Infotech,

After applying the test command from CLI, please verify the System logs from GUI ( Monitor > Logs > System). It should give you a reason behind the failure. Else, we have to verify ikemgr.-log from cli ( > less mp-log ike-mgr.log [Shift+G])

Hope this helps.

Thanks

Re: Tunnel times

infotech — Wed, 16 Jul 2014 18:16:53 GMT

Gere us the result of the show vpn ike-sa gateway

phase-1 SAs
GwID/client IP Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      - -- -- ------
              5 66.94.196.108          Parkway_Gateway_ITV3   Init Main PSK/DH2/3DES/SHA1 Jul.16 13:12:10*Jul.16 13:12:31 v1 14 3      0

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP Peer-Address           Gateway Name           Role Algorithm               SPI(in) SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               ------- -------- -----    -- --
              5 66.94.196.108          Parkway_Gateway_ITV3   Init     /    /   /    /     00000000 00000000 3EDA505E 5 5

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

Result of show vpn flow tunnel-id

tunnel Parkway_IPSec_Tunnel5:DR_Network

id: 139

type: IPSec

gateway id: 5

local ip: 66.94.196.107

peer ip: 66.94.196.108

inner interface: tunnel.5

outer interface: ethernet1/3

state: inactive

session: 0

tunnel mtu: 1428

lifetime remain: N/A

monitor: off

monitor packets seen: 0

monitor packets reply: 0

en/decap context: 2716

local spi: 9C3025F2

remote spi: 07B3DE31

key type: auto key

protocol: ESP

auth algorithm: NOT ESTABLISHED

enc algorithm: NOT ESTABLISHED

proxy-id local ip: 10.135.100.0/24

proxy-id remote ip: 10.135.11.0/25

proxy-id protocol: 0

proxy-id local port: 0

proxy-id remote port: 0

anti replay check: yes

copy tos: no

authentication errors: 0

decryption errors: 0

inner packet warnings: 0

replay packets: 0

packets received

when lifetime expired:0

when lifesize expired:0

sending sequence: 577416

receive sequence: 543151

encap packets: 17134359

decap packets: 15948658

encap bytes: 2685487256

decap bytes: 10989573876

key acquire requests: 129710

I ran the test command and it did not bring the tunnel back up

Re: Tunnel times

infotech — Wed, 16 Jul 2014 18:18:29 GMT

The command we have to verify ike-mgr.log from cli ( > less mp-log ike-mgr.com [Shift+G]) did not work got invalid syntax

Re: Tunnel times

HULK — Wed, 16 Jul 2014 19:06:22 GMT

Hello Infotech,

Open a new cli session and run > tail follow yes mp-log ikemgr.log. At the same time, try the TEST VPN command from an another window (forcefully initiate the VPN tunnel).

Thanks

Re: Tunnel times

infotech — Wed, 16 Jul 2014 19:37:06 GMT

These are the results

2014-07-16 14:36:04 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIAT OR, (QUICK MODE) <====

====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xDCA8EE4B <====

2014-07-16 14:36:04 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=3fd430494385e0f5 1df66859af85187f (size=16).

2014-07-16 14:36:05 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====

2014-07-16 14:36:13 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e8b02a666f3d3b1:cedef558e2c21a7e <====

2014-07-16 14:36:14 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:2931850b7ade2be4:b5eeafc08a33ee7b <====

2014-07-16 14:36:15 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:3fd430494385e0f5:1df66859af85187f <====

Re: Tunnel times

jcostello — Thu, 17 Jul 2014 09:11:54 GMT

What type of firewall is the peer device?

The message above is indicating that the IPSec settings are not matching on the firewalls. What is the IPSec profile you are using on your local systems and what is the configuration of the remote host?

Re: Tunnel times

infotech — Thu, 17 Jul 2014 12:56:11 GMT

Peer is a cisco 5505 and I have checked rechecked and changed the settings to make it match and it always does the exact same thing no matter what the seeting are.

Re: Tunnel times

jkim2 — Thu, 17 Jul 2014 14:52:58 GMT

Be deafult Perfect Forward Secrecy (PFS) is enabled on the Palo.

If the tunnel is coming up initially then p1 & p2 probably matches up but its an issue during rekey.

Either disable PFS both sides or enable on both sides.

Also paste the sanitized cisco config as well as debug if you can.

Re: Tunnel times

infotech — Thu, 17 Jul 2014 14:55:59 GMT

Here are the ipsec settings

ipsec crypto settings on PA

encryption - aes256
authentication - sha1
DH group - group1
lifetime 8 hours
lifesize - not set

Cisco 5505 ipsec crypto settings

encryption -AES256
Authentication - sha
DH - group1
SA lifetime settings - 8 hours
Traffic voluem - 4608000 KB

I attempted to change the PA to 4608000 KB but it would not take the setting. I set it to 4800 MB and it brought down the tunnel and I could not bring it back up. I have other tunnels to the same cisco that are working fine and the are set very simliarly

Re: Tunnel times

jkim2 — Thu, 17 Jul 2014 15:21:19 GMT

Can you configure another ipsec profile on the cisco side without the lifesize/traffic volume ? is the lifesize a mandatory security setting ?

How are the PFS set on the cisco ? can you try to disable on both ?

Re: Tunnel times

infotech — Thu, 17 Jul 2014 16:19:50 GMT

Okay so PFS and diffhelman are basically the same thing. So based on that it is enabled on the PA and on the Cisco

Re: Tunnel times

HULK — Thu, 17 Jul 2014 16:27:55 GMT

PFS is a property of key-agreement protocols, ensuring that a session key derived from phase-2 will use for actual data transmission. PFS uses DH algorithm.

Thanks