02-06-2017 12:17 AM
I've been running PAN-OS 8.0 since release, and immediately got problems with Cisco AnyConnect over IKEv2. Even if the session is very much alive, PAN-OS 8.0 kills it of after a random amount of time, usually a couple of hours.
If I change the AnyConnect policy to use SSL instead, everything runs fine.
PAN-OS 8.0 recognizes AnyConnect over IKEv2 as ipsec-esp-udp. Changing the default timeout to e.g. 86400 seconds changes nothing.
02-06-2017 08:51 AM
PAN-OS says "aged-out". Cisco AnyConnect doesn't even notice that it's been disconnected.
Everything worked fine in 7.1.7 and earlier.
Btw, it's a PA-200.
02-06-2017 09:13 AM
Do you see anything in the Threat logs; it kind of sounds like some security policy is preventing the traffic from passing, hence your age-out response.
02-07-2017 04:22 AM
No, there's no entries in the threat log with the IP to the AnyConnect server.
02-08-2017 12:13 AM
I see now that the apps and threats content release 658 did something to ipsec-esp-udp. I guess that's the culprit, and not necessarily 8.0.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!