IKEv2 - Unexpected ipsec key delete event

Reply
L1 Bithead

IKEv2 - Unexpected ipsec key delete event

Hi All,

 

I'm a medior network engineer who just got into a new position where I deal with PA FWs. I face the following issue now:

 

There is an IPSEC site-to-site VPN between my PA-850 (ver. 9.1.3) and a remote FW (I'm not sure about the remote device type). I see strange behaviours.

 

Yesterday 3 pm the rekey happened. It finished with ikev2-nego-child-succ event and created a Child_SA.

But today morning all the keys got renegotiated starting with this event:


Ikev2-nego-child-start.

Description: IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: *local_ip*[500]-*remote_ip*[500].

 

After this all the child SAs for the various proxy ids got deleted and then re-installed.

 

Note: I started the story with yesterday's rekey. That was also a chain of events like this, in which the rekey was not yet due.

 

Our workforce is relying on this IPsec tunnel, but that is also strange that on yesterday's failure they all experienced connectivity issues while on today's one they did not. 

 

Please let me know if you have any ideas, or question.

 

Cheers,

Daniel

L7 Applicator

Hi Daniel

 

Are you on 'friendly' terms with the remote end?  you could ask them to compare notes and see how they have their crypto and phases set, there may be a discrepancy of timers or 'byte count' between your devices that's causing their device to rekey sooner than expected (since they initiate the rekey)

Typical rekey for phase1 is 8 hours, and every 1 hour for phase2, with no bytecount on either. There shouldn't be a huge impact for users unless there are some very sensitive applications in use, the list of proxyIDs is huge, or the crypto is too strong for one side

In which case you could try 'timing' the rekeys or using more process friendly algorythms

 

 

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L1 Bithead

Hi Reaper,

 

Thanks for the info. Hopefully we will have a session with the customer on Friday so we can clarify the settings. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!