Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-01-2016 02:23 AM
Hi,
Having an issue with IPSec tunnels. Sometimes (not all the time), phase 1 can't be established because IKE traffic is being treated as "ciscovpn" instead of ike and being discarded. Once I clear the session, the next session establishes correctly and works perfectly fine. Both sides of ipsec tunnel are terminated on Cisco routers. Is there anything we can do about it (aside from allowing ciscovpn application)?
Details:
-------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 8889 ciscovpn DISCARD FLOW NS x.x.x.x[500]/LAN-CORP/17 (y.y.y.y[500]) vsys1 z.z.z.z[500]/UNTRUST-L3 (z.z.z.z[500]) > clear session id 8889 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 27654 ipsec-esp ACTIVE FLOW NS x.x.x.x[20033]/LAN-CORP/50 (y.y.y.y[20033]) vsys1 z.z.z.z[20033]/UNTRUST-L3 (z.z.z.z[20033]) 26671 ike ACTIVE FLOW NS x.x.x.x[500]/LAN-CORP/17 (y.y.y.y[500]) vsys1 z.z.z.z[500]/UNTRUST-L3 (z.z.z.z[500])
06-01-2016 08:30 AM
We can create rule based on source ip and destination ip and port number instead of application. If application is causing issues.
One single rule will have source ip add x,y and destination as x,y and underservice tab we can specifiy udp port 500.
Here x,y are the ip address of the IPSec peers.
06-01-2016 06:27 PM
Well, why would we have L7 firewall then? 🙂
As from I see, this issue is quite old and have not been fixed for quite a long period of time. Is it possible to have a response from Palo Alto engineers on this? Or maybe there is a way to create a feature request/bug report which I don't know?
ps
I am the topic starter, had to switch between accounts, sorry for this mess.
06-08-2016 02:30 AM
Since it is a tunnel between 2 cisco devices, the behavior may be similar to 'ciscovpn' client traffic which is why it could hit on that application instead of simply 'IKE'
You could either add the application to your security policy to allow it through, or if you believe the AppID is not working as expected, you can open a support case with TAC and the content team will take a look at the session's packetcaptures and update the application if possible
06-08-2016 02:32 AM - edited 06-08-2016 03:07 AM
Hi,
All feature requests need to go via your local SE.
They can create the FR for you and can add votes to it to add more weight to it.
As for bug reports, these can only be opened by TAC via a support case. If you are planning to open a support case then I'd recommend to have some PCAPs ready so the engineers can investigate the payload.
06-08-2016 02:59 AM
06-08-2016 03:00 AM
06-08-2016 03:19 AM
The fact this behavior isn't uniform would be a good reason to open a support case and have TAC investigate. you'd need to try and get a packetcapture of the moment the session is identified as ciscovpn, which may take some time, but then the content team will be able to use that data to finetune the AppID
06-08-2016 02:51 PM
I recently ran into a similiar issue with sflow traffics got identifed as bittorrent application. I provided show session, external packet capture, debug log, clear session. The issue is addressed via a threat signature updated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
