VPN to Azure dropouts

Reply
L2 Linker

VPN to Azure dropouts

I have searched high and low for this and found a few articles regarding IKE configuration and nothing seems to fix it.

 

PAN 3020 v7.0.5. IKE 2 VPN to Azure. The VPN works but around every 50 mintues the tunnel drops out for a few minutes then re-establishes. I have tried various different IKE and IPsec settings as per advice from Palo Alto articles, Microsoft Azure articles and settings from a comment against a Palo Alto article that the commentor said worked. No joy.

 

From the Azure console there is no way of checking IPsec ettings.

 

Any help would be good.

L6 Presenter

Re: VPN to Azure dropouts

Hi,

 

Just had a similar issue. Can you post your VPN settings so I can compare with my and tell you what I have changed to make it working? Please send a screenshot of the logs from the Monitoring tab> System. Both successful and unsuccessful.

 

Cheers

L6 Presenter

Re: VPN to Azure dropouts

Hi,

 

Just a quick update/tips on this:

 

- make sure Palo in the "passive" mode. So it will not be able to initiate a VPN but we could not make it working when its disabled.

- IKEv2 initiate 2 tunnels: IKE tunnel ( old name of IKEv1 Phase 1) and CHILD_SA (old name of IKEv1 Phace 2). Default lifetime for  IKE Tunnel is 86400 or 28800 seconds (depends of the vendor) for CHILD_SA is 3600 seconds hence your tunnel will be always re-established every hour. But it takes couple seconds not minutes. 

- disable no-pfs on IPSec Crypto

- disable "Liveness Check" on the IKE Gateway configuration.

 

Make sure that all other setting are compatible with Azure. Please see below:

 

IPsec Parameters

Note:

Although the values listed below are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

IKE Phase 1 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption AlgorithmsAES256 AES128 3DESAES256 3DES
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time)28,800 seconds10,800 seconds

IKE Phase 2 setup

PropertyPolicy-basedRoute-based and Standard or High Performance VPN gateway
IKE VersionIKEv1IKEv2
Hashing AlgorithmSHA1(SHA128)SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)3,600 seconds3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput)102,400,000 KB-
IPsec SA Encryption & Authentication Offers (in the order of preference)1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/ASee Route-based Gateway IPsec Security Association (SA) Offers(below)
Perfect Forward Secrecy (PFS)NoYes (DH Group1, 2, 5, 14, 24)
Dead Peer DetectionNot supportedSupported

After doing all this tunnel still stable for the past 3 days.

You can clear the tunnel couple times to see if everything is working correctly:

 

> clear vpn ike-sa gateway (for IKE Tunnel)

> clear vpn ipsec-sa tunnel (for CHILD_SA)

 

Hope it helps!

L2 Linker

Re: VPN to Azure dropouts

Dropout.JPG

L6 Presenter

Re: VPN to Azure dropouts

Hi,

 

The first thing I have noticed that you Palo device not in the "Passive" mode. Try to configure/modify config using my settings and get back, please.

 

All the best

L2 Linker

Re: VPN to Azure dropouts

I noticed that first log entry myself as the PAN tries to start the SA negotiation as intitator but it is definitely in passive mode.

L6 Presenter

Re: VPN to Azure dropouts

Did you commit the changes?

 

passive.PNG

L2 Linker

Re: VPN to Azure dropouts

It has been passive for quite a while now having commited multiple changes over the last few weeks.

L6 Presenter

Re: VPN to Azure dropouts

Very strange. What are the latest logs suggests? Did you try my suggestions? Our VPN still stable, fingers crossed :-) 

L2 Linker

Re: VPN to Azure dropouts

Can you take some screenshots of your config and I will match that and see how it goes? I can't find much info on the log entires except what you have already suggested.

 

If I match what you have it might improve.

 

Thanks for your input.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!