Flapping IPSec Tunnel

Printer Friendly Page

ISSUE: IPsec tunnel is not flapping or IPsec tunnel is up but not passing traffic.

 

CAUSE: One of the reasons for the tunnel flapping or not passing traffic is if the SPI number is not stable. A software bug may be the issue, lifetime for phase 1 and phase 2 are not the same so rekey is happening. Proxy ID are mismatching so rekey is happening frequently.

 

A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. SPI is arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound. The SPI is provided to map the incoming packet to an SA at the destination.

 

The SPI number can be checked on the firewall with the following command:

show vpn ipsec-sa

 

The SPI number should remain stable until a tunnel renegotiates. If this number is changing, then the tunnel will not be stable.

 

EXAMPLE: In both screenshots, the SPI number is changing.

SPI1.png

 

SPI2.png

 

RESOLUTION:

  • Check the lifetime of phase1 and phase2 -- the time should be the same.
  • Check if the proxy ID are matching or not.
  • The issue could be because of a software bug.
Tags (2)
Comments

 

We have 3 IPSec tunnels setup between our firewalls and tunnel monitoring is enabled on all of them. We configured to receive email alerts via Splunk everytime when a Tunnel Down event occurs on the firewall. We have been receiving a bunch of emails that the tunnel is down everytime there is a peiodic rekeying on phase 2. 

Not sure if this is expected to happen but this seem to appear on only a few versions of PANOS. We are currently running 8.0.12 and we saw the same issue when we were running Panos 7.