https://live.paloaltonetworks.com/t5/general-topics/doubt-about-multiple-sas-in-ipsec-tunnel/m-p/422297#M94051 <P>Hi,&nbsp;&nbsp;</P><P>&nbsp;</P><P>We have a tunnel working but looking in the logs we see many installed SAs. So we think it should be a SA for line in proxy ID.</P><P>&nbsp;</P><P>So why all these logs about "installed SA"?&nbsp; Any idea?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpnjs.JPG" style="width: 255px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35252i1ADC9F1F9A3C4936/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="vpnjs.JPG" alt="vpnjs.JPG" /></span></P> Tue, 27 Jul 2021 11:37:44 GMT BigPalo 2021-07-27T11:37:44Z https://live.paloaltonetworks.com/t5/general-topics/doubt-about-multiple-sas-in-ipsec-tunnel/m-p/422297#M94051 <P>Hi,&nbsp;&nbsp;</P><P>&nbsp;</P><P>We have a tunnel working but looking in the logs we see many installed SAs. So we think it should be a SA for line in proxy ID.</P><P>&nbsp;</P><P>So why all these logs about "installed SA"?&nbsp; Any idea?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpnjs.JPG" style="width: 255px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35252i1ADC9F1F9A3C4936/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="vpnjs.JPG" alt="vpnjs.JPG" /></span></P> Tue, 27 Jul 2021 11:37:44 GMT https://live.paloaltonetworks.com/t5/general-topics/doubt-about-multiple-sas-in-ipsec-tunnel/m-p/422297#M94051 BigPalo 2021-07-27T11:37:44Z https://live.paloaltonetworks.com/t5/general-topics/doubt-about-multiple-sas-in-ipsec-tunnel/m-p/422510#M94069 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;.</P><P>What is the timestamp for each "installed SA" log?</P><P>It should be correct that you will have SA for each "proxy id line". But looking at your logs it seems that your Phase2 is configured with lifetime of one hour (3600sec)&nbsp;<U>and</U> lifesize of round 4,6GB. Which means that either of those end FW will delete the SA and negotiate new one. But if the SA aged out you should see log for deleting SA as well.</P><P>&nbsp;</P><P>- What is the timestamp of the logs?</P><P>- Are you using log filter to list the above logs? What is the filter?</P><P>- How many proxy-ids do you have?</P> Tue, 27 Jul 2021 22:21:59 GMT https://live.paloaltonetworks.com/t5/general-topics/doubt-about-multiple-sas-in-ipsec-tunnel/m-p/422510#M94069 aleksandar.astardzhiev 2021-07-27T22:21:59Z