All site to site tunnels drop

Reply
Highlighted
L1 Bithead

All site to site tunnels drop

We had an incident where we have site to site VPNs coming into the Palo.  The connection dropped and they would not come backup, even after dropping the VPN on both devices.  The end result was a reboot of the firewall and it came back up.  What I saw in the logs is pasted below.  Customer support just said "As we can see from the Ike manager logs the firewall is receiving the first packet for IKE negotiation which accepts and sends the response but its not getting the reply."  Both sides could ping each other. 

 

Ideas?

************

====> PHASE-1 NEGOTIATION FAILED AS RESPONDER, MAIN MODE <====
====> Failed SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 <==== Due to timeout.
2020-03-05 04:23:39.000 -0600 [INFO]: { 4: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: [500] cookie:b54ae8b7fae36f5b:a2a373bfed2ef054 <====
2020-03-05 04:23:42.974 -0600 [PNTF]: { 4: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA: 4[500] cookie:1589d0bc1ca8cedd:b61975bbe41105ad <====
2020-03-05 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: RFC 3947
2020-03-05 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2020-03-05 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2020-03-05 04:23:42.975 -0600 [INFO]: { 4: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2020-03-05 04:23:42.975 -0600 [INFO]: { 4: }: Selected NAT-T version: RFC 3947
2020-03-05 04:23:50.974 -0600 [INFO]: the packet is retransmitted from [500].

 

Highlighted
L4 Transporter

Re: All site to site tunnels drop

What version are you running?  The 8.1.13 release has a fix for a huge memory leak that causes symptoms very similar to if not exactly what you are experiencing.

Highlighted
L1 Bithead

Re: All site to site tunnels drop - Palo to Sonicwall

In case anyone else is configuring PAN to Sonicwall this is how we configured. The tunnel interfaces were significantly slower and did not re-establish communication.

 

https://live.paloaltonetworks.com/t5/API-Articles/Create-a-VPN-from-Palo-Alto-to-Sonicwall/ta-p/5530...

 

 

 

Highlighted
L1 Bithead

Re: All site to site tunnels drop

We are running 9.0.5, it was a misconfiguration of the tunnel between the Sonicwalls and Palo.  They stayed up for over a week though.  Thanks for the update.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!