Our customer encounter intermittent connectivity issue with IPSec IKEv1 during phase 2 rekey of IPSec Child-SA. We open case with the IPSec peer device vendor, they mention that PAN is not sending message to R2011 (IPSec peer) for deleting the SA when the SA negotiation fails.
Summary of issue:
Highlight event log of “the sent the delete key message to the peer and started the negotiation as a responder.
1.re key at 5.00.07 of Child SA as responder for Proxy ID 2. Failed as negotiation as responder and didn’t send p2 delete message to peer.
2.Next re key at 5.39.12 of Child SA as responder for Proxy ID 2. Observe no existing SA (previous negotiation fail at 5.00.07am), so didn’t send p2 delete message to peer after successful rekey.
So, please advise on this behavior of the PA as a responder.
Hi @Purushotham ,
Thanks for your question. I would verify that the PA-850 and peer are using compatible IPSec settings, such as encryption algorithms, key lifetimes, and authentication methods, Proxy IDs, and other parameters related to phase 2 negotiation.
If you've verified the settings are good to go and you are still experiencing issues, I recommend creating a support case for this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!