We are having problems with a site to site IPSEC VPN between a PA-500 and a Cisco ASA. The PA is always the initiator and the tunnel comes up and passes traffic just fine. The problem comes when the tunnel needs to rekey, basically it seems that the PA does not bother to renegotiate until between 30 and 120 seconds of the lifetime remains. Now this is fine if the lifetime is 10 minutes or less but in reality it works out that with a sensible lifetime in place the Cisco has dropped the Phase 2 tunnel (at 95% of the lifetime) long before the PA tries to rekey.
When the lifetime is set to a short time (12 minutes) the PA log shows either side initiating the negotiation depending on whether the PA has done it by 95% of lifetime or not. When the lifetime is longer the PA does not log any attempt by the ASA to initiate the negotiation - it seems almost as if it ignores any attempt to rekey if it falls outside of its window.
Can anyone confirm what the Palo Alto policy is regarding IPSEC phase 2 tunnel rekey? Is anyone else having this problem?
The best advice I can give is make sure your timeout values are identical on both devices. If you have say 8 hours on the PAN make sure its 8 hours on the Cisco. I think Cisco uses seconds so there may be some math involved. But make sure the phase 1 and 2 setting sare identical on both sides. I have VPNs from my PAN's tothe following other types of VPNs and they are all functional:
McAfee Next Gen Firewall
All phases have to match otherwise you may not even establish in the first place. So if you change one side, you have to change the other.
Hope this helps.
We found some VPN stability issues when having an IPSec VPN to a Cisco ASA with DPD being enabled. We found intermittent disconnects as DPD was detecting the peer as "down" when it was not. I know DPD is part of phase 1 and not phase 2 but it is something you may want to test disabling.
In regards to your note on the missing logs, I would imagine we would see something, even if it fails as the responder.
Can you verify if there is any dropped packets on the firewall coming from that ASA?
Please do not forget to mark and 'Helpful' or 'Correct' replies.
I am having the exact same problems. Also ASA in the other end.
We have tried disable DPD and pfs from IPsec.Still unstable.
We are running version 6.1.7
Has it been fixed in 6.1.9 or 7.0.4?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!