https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/377928#M89416 <P>Hi All,</P><P>&nbsp;</P><P>I'm a medior network engineer who just got into a new position where I deal with PA FWs. I face the following issue now:</P><P>&nbsp;</P><P>There is an IPSEC site-to-site VPN between my PA-850 (ver. 9.1.3) and a remote FW (I'm not sure about the remote device type). I see strange behaviours.</P><P>&nbsp;</P><P>Yesterday 3 pm the rekey happened. It finished with ikev2-nego-child-succ event and created a Child_SA.</P><P>But today morning all the keys got renegotiated starting with this event:</P><P><BR />Ikev2-nego-child-start.</P><P>Description: IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: *local_ip*[500]-*remote_ip*[500].</P><P>&nbsp;</P><P>After this all the child SAs for the various proxy ids got deleted and then re-installed.</P><P>&nbsp;</P><P>Note: I started the story with yesterday's rekey. That was also a chain of events like this, in which the rekey was not yet due.</P><P>&nbsp;</P><P>Our workforce is relying on this IPsec tunnel, but that is also strange that on yesterday's failure they all experienced connectivity issues while on today's one they did not.&nbsp;</P><P>&nbsp;</P><P>Please let me know if you have any ideas, or question.</P><P>&nbsp;</P><P>Cheers,</P><P>Daniel</P> Tue, 05 Jan 2021 12:25:32 GMT olloczky 2021-01-05T12:25:32Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/377928#M89416 <P>Hi All,</P><P>&nbsp;</P><P>I'm a medior network engineer who just got into a new position where I deal with PA FWs. I face the following issue now:</P><P>&nbsp;</P><P>There is an IPSEC site-to-site VPN between my PA-850 (ver. 9.1.3) and a remote FW (I'm not sure about the remote device type). I see strange behaviours.</P><P>&nbsp;</P><P>Yesterday 3 pm the rekey happened. It finished with ikev2-nego-child-succ event and created a Child_SA.</P><P>But today morning all the keys got renegotiated starting with this event:</P><P><BR />Ikev2-nego-child-start.</P><P>Description: IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: *local_ip*[500]-*remote_ip*[500].</P><P>&nbsp;</P><P>After this all the child SAs for the various proxy ids got deleted and then re-installed.</P><P>&nbsp;</P><P>Note: I started the story with yesterday's rekey. That was also a chain of events like this, in which the rekey was not yet due.</P><P>&nbsp;</P><P>Our workforce is relying on this IPsec tunnel, but that is also strange that on yesterday's failure they all experienced connectivity issues while on today's one they did not.&nbsp;</P><P>&nbsp;</P><P>Please let me know if you have any ideas, or question.</P><P>&nbsp;</P><P>Cheers,</P><P>Daniel</P> Tue, 05 Jan 2021 12:25:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/377928#M89416 olloczky 2021-01-05T12:25:32Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/378041#M89431 <P>Hi Daniel</P><P>&nbsp;</P><P>Are you on 'friendly' terms with the remote end?&nbsp; you could ask them to compare notes and see how they have their crypto and phases set, there may be a discrepancy of timers or 'byte count' between your devices that's causing their device to rekey sooner than expected (since they initiate the rekey)</P><P>Typical rekey for phase1 is 8 hours, and every 1 hour for phase2, with no bytecount on either. There shouldn't be a huge impact for users unless there are some very sensitive applications in use, the list of proxyIDs is huge, or the crypto is too strong for one side</P><P>In which case you could try 'timing' the rekeys or using more process friendly algorythms</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 05 Jan 2021 23:16:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/378041#M89431 reaper 2021-01-05T23:16:12Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/378098#M89441 <P>Hi Reaper,</P><P>&nbsp;</P><P>Thanks for the info. Hopefully we will have a session with the customer on Friday so we can clarify the settings.&nbsp;</P> Wed, 06 Jan 2021 12:27:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-unexpected-ipsec-key-delete-event/m-p/378098#M89441 olloczky 2021-01-06T12:27:27Z