IPSEC phase 2 rekey

Reply
Highlighted
L0 Member

IPSEC phase 2 rekey

We are having problems with a site to site IPSEC VPN between a PA-500 and a Cisco ASA. The PA is always the initiator and the tunnel comes up and passes traffic just fine. The problem comes when the tunnel needs to rekey, basically it seems that the PA does not bother to renegotiate until between 30 and 120 seconds of the lifetime remains. Now this is fine if the lifetime is 10 minutes or less but in reality it works out that with a sensible lifetime in place the Cisco has dropped the Phase 2 tunnel (at 95% of the lifetime) long before the PA tries to rekey.

When the lifetime is set to a short time (12 minutes) the PA log shows either side initiating the negotiation depending on whether the PA has done it by 95% of lifetime or not. When the lifetime is longer the PA does not log any attempt by the ASA to initiate the negotiation - it seems almost as if it ignores any attempt to rekey if it falls outside of its window.

Can anyone confirm what the Palo Alto policy is regarding IPSEC phase 2 tunnel rekey? Is anyone else having this problem?

Thanks

Karl

Tags (1)
Highlighted
L3 Networker

Re: IPSEC phase 2 rekey

Hello Karl,

The best advice I can give is make sure your timeout values are identical on both devices. If you have say 8 hours on the PAN make sure its 8 hours on the Cisco. I think Cisco uses seconds so there may be some math involved. But make sure the phase 1 and 2 setting sare identical on both sides. I have VPNs from my PAN's tothe following other types of VPNs and they are all functional:

McAfee Next Gen Firewall

Cisco ASA

Palo Alto

Juniper

All phases have to match otherwise you may not even establish in the first place. So if you change one side, you have to change the other.

Hope this helps.

Highlighted
Not applicable

Re: IPSEC phase 2 rekey

We found some VPN stability issues when having an IPSec VPN to a Cisco ASA with DPD being enabled. We found intermittent disconnects as DPD was detecting the peer as "down" when it was not. I know DPD is part of phase 1 and not phase 2 but it is something you may want to test disabling.

Highlighted
L4 Transporter

Re: IPSEC phase 2 rekey

Sigma,

In regards to your note on the missing logs, I would imagine we would see something, even if it fails as the responder.

Can you verify if there is any dropped packets on the firewall coming from that ASA?

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

Highlighted
L1 Bithead

Re: IPSEC phase 2 rekey

I am having the exact same problems. Also ASA in the other end.

We have tried disable DPD and pfs from IPsec.Still unstable.

We are running version 6.1.7

 

Has it been fixed in 6.1.9 or 7.0.4?

Highlighted
L1 Bithead

Re: IPSEC phase 2 rekey

I think we found a solution istead of defining IPSEC lifetime in 1 hour we set is as 3600 seconds instead.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!