IKEv2 - Unexpected ipsec key delete event

Showing results for 
Show  only  | Search instead for 
Did you mean: 

IKEv2 - Unexpected ipsec key delete event

L1 Bithead

Hi All,


I'm a medior network engineer who just got into a new position where I deal with PA FWs. I face the following issue now:


There is an IPSEC site-to-site VPN between my PA-850 (ver. 9.1.3) and a remote FW (I'm not sure about the remote device type). I see strange behaviours.


Yesterday 3 pm the rekey happened. It finished with ikev2-nego-child-succ event and created a Child_SA.

But today morning all the keys got renegotiated starting with this event:


Description: IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: *local_ip*[500]-*remote_ip*[500].


After this all the child SAs for the various proxy ids got deleted and then re-installed.


Note: I started the story with yesterday's rekey. That was also a chain of events like this, in which the rekey was not yet due.


Our workforce is relying on this IPsec tunnel, but that is also strange that on yesterday's failure they all experienced connectivity issues while on today's one they did not. 


Please let me know if you have any ideas, or question.





Cyber Elite
Cyber Elite

Hi Daniel


Are you on 'friendly' terms with the remote end?  you could ask them to compare notes and see how they have their crypto and phases set, there may be a discrepancy of timers or 'byte count' between your devices that's causing their device to rekey sooner than expected (since they initiate the rekey)

Typical rekey for phase1 is 8 hours, and every 1 hour for phase2, with no bytecount on either. There shouldn't be a huge impact for users unless there are some very sensitive applications in use, the list of proxyIDs is huge, or the crypto is too strong for one side

In which case you could try 'timing' the rekeys or using more process friendly algorythms





Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,


Thanks for the info. Hopefully we will have a session with the customer on Friday so we can clarify the settings. 

  • 2 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!