Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-10-2015 09:25 AM
We are having problems with a site to site IPSEC VPN between a PA-500 and a Cisco ASA. The PA is always the initiator and the tunnel comes up and passes traffic just fine. The problem comes when the tunnel needs to rekey, basically it seems that the PA does not bother to renegotiate until between 30 and 120 seconds of the lifetime remains. Now this is fine if the lifetime is 10 minutes or less but in reality it works out that with a sensible lifetime in place the Cisco has dropped the Phase 2 tunnel (at 95% of the lifetime) long before the PA tries to rekey.
When the lifetime is set to a short time (12 minutes) the PA log shows either side initiating the negotiation depending on whether the PA has done it by 95% of lifetime or not. When the lifetime is longer the PA does not log any attempt by the ASA to initiate the negotiation - it seems almost as if it ignores any attempt to rekey if it falls outside of its window.
Can anyone confirm what the Palo Alto policy is regarding IPSEC phase 2 tunnel rekey? Is anyone else having this problem?
Thanks
Karl
02-10-2015 02:49 PM
Hello Karl,
The best advice I can give is make sure your timeout values are identical on both devices. If you have say 8 hours on the PAN make sure its 8 hours on the Cisco. I think Cisco uses seconds so there may be some math involved. But make sure the phase 1 and 2 setting sare identical on both sides. I have VPNs from my PAN's tothe following other types of VPNs and they are all functional:
McAfee Next Gen Firewall
Cisco ASA
Palo Alto
Juniper
All phases have to match otherwise you may not even establish in the first place. So if you change one side, you have to change the other.
Hope this helps.
02-19-2015 11:11 PM
We found some VPN stability issues when having an IPSec VPN to a Cisco ASA with DPD being enabled. We found intermittent disconnects as DPD was detecting the peer as "down" when it was not. I know DPD is part of phase 1 and not phase 2 but it is something you may want to test disabling.
02-20-2015 09:11 AM
Sigma,
In regards to your note on the missing logs, I would imagine we would see something, even if it fails as the responder.
Can you verify if there is any dropped packets on the firewall coming from that ASA?
Thanks!
Please do not forget to mark and 'Helpful' or 'Correct' replies.
02-03-2016 04:16 AM
I am having the exact same problems. Also ASA in the other end.
We have tried disable DPD and pfs from IPsec.Still unstable.
We are running version 6.1.7
Has it been fixed in 6.1.9 or 7.0.4?
02-04-2016 01:42 AM
I think we found a solution istead of defining IPSEC lifetime in 1 hour we set is as 3600 seconds instead.
06-26-2024 10:52 AM
1 hour = 3600 seconds , so what is the difference ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
