Cisco AnyConnect over IKEv2 killed by PAN-OS 8.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco AnyConnect over IKEv2 killed by PAN-OS 8.0

L1 Bithead

Hi.

 

I've been running PAN-OS 8.0 since release, and immediately got problems with Cisco AnyConnect over IKEv2. Even if the session is very much alive, PAN-OS 8.0 kills it of after a random amount of time, usually a couple of hours.

 

If I change the AnyConnect policy to use SSL instead, everything runs fine.

 

PAN-OS 8.0 recognizes AnyConnect over IKEv2 as ipsec-esp-udp. Changing the default timeout to e.g. 86400 seconds changes nothing.

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi

 

does the session indicate why it was terminated (idle, rst, ...) ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

PAN-OS says "aged-out". Cisco AnyConnect doesn't even notice that it's been disconnected.

Everything worked fine in 7.1.7 and earlier.

 

Btw, it's a PA-200.

Do you see anything in the Threat logs; it kind of sounds like some security policy is preventing the traffic from passing, hence your age-out response. 

Hi.

 

No, there's no entries in the threat log with the IP to the AnyConnect server.

I see now that the apps and threats content release 658 did something to ipsec-esp-udp. I guess that's the culprit, and not necessarily 8.0.

  • 2710 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!