IPSEC phase 2 rekey

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC phase 2 rekey

L0 Member

We are having problems with a site to site IPSEC VPN between a PA-500 and a Cisco ASA. The PA is always the initiator and the tunnel comes up and passes traffic just fine. The problem comes when the tunnel needs to rekey, basically it seems that the PA does not bother to renegotiate until between 30 and 120 seconds of the lifetime remains. Now this is fine if the lifetime is 10 minutes or less but in reality it works out that with a sensible lifetime in place the Cisco has dropped the Phase 2 tunnel (at 95% of the lifetime) long before the PA tries to rekey.

When the lifetime is set to a short time (12 minutes) the PA log shows either side initiating the negotiation depending on whether the PA has done it by 95% of lifetime or not. When the lifetime is longer the PA does not log any attempt by the ASA to initiate the negotiation - it seems almost as if it ignores any attempt to rekey if it falls outside of its window.

Can anyone confirm what the Palo Alto policy is regarding IPSEC phase 2 tunnel rekey? Is anyone else having this problem?

Thanks

Karl

6 REPLIES 6

L3 Networker

Hello Karl,

The best advice I can give is make sure your timeout values are identical on both devices. If you have say 8 hours on the PAN make sure its 8 hours on the Cisco. I think Cisco uses seconds so there may be some math involved. But make sure the phase 1 and 2 setting sare identical on both sides. I have VPNs from my PAN's tothe following other types of VPNs and they are all functional:

McAfee Next Gen Firewall

Cisco ASA

Palo Alto

Juniper

All phases have to match otherwise you may not even establish in the first place. So if you change one side, you have to change the other.

Hope this helps.

Not applicable

We found some VPN stability issues when having an IPSec VPN to a Cisco ASA with DPD being enabled. We found intermittent disconnects as DPD was detecting the peer as "down" when it was not. I know DPD is part of phase 1 and not phase 2 but it is something you may want to test disabling.

L4 Transporter

Sigma,

In regards to your note on the missing logs, I would imagine we would see something, even if it fails as the responder.

Can you verify if there is any dropped packets on the firewall coming from that ASA?

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

L1 Bithead

I am having the exact same problems. Also ASA in the other end.

We have tried disable DPD and pfs from IPsec.Still unstable.

We are running version 6.1.7

 

Has it been fixed in 6.1.9 or 7.0.4?

I think we found a solution istead of defining IPSEC lifetime in 1 hour we set is as 3600 seconds instead.

1 hour = 3600 seconds , so what is the difference ?

  • 10708 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!