02-03-2022 03:12 PM - edited 02-04-2022 09:06 AM
Hello all,
Need help.
We're experiencing unsual IPsec tunnel disconnect between our main firewall PA-5250 and VM series hosted on Azure.
PA-5250 - Version 8.01 - Static GW IP address 2.2.2.2
VM series VM:- 10.0.7 - Azure01 - GW IP is dymanic representing 1.1.1.1 on logs.
IPsec tunnel info check and verified are same on both firewall.
Proxy ID:- none
Enable passive mode is disabled on both firewall.
One firewall GW IP address is dymanic.
VM series firewall.
____________________________________________________
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.039 -0600 [INFO]: { 1: }: KA found: 1.1.1.1[4500]->2.2.2.2[4500] (in_use=1)
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Adding remote and local NAT-D payloads.
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Hashing 2.2.2.2[4500] with algo #6
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [INFO]: { 1: }: Hashing 1.1.1.1[4500] with algo #6
mp ikemgr.log 2022-01-29 12:33:19 2022-01-29 12:33:19.040 -0600 [PNTF]: { 1: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, AGGRESSIVE MODE <====
mp ikemgr.log 2022-01-29 12:33:19 ====> Established SA: 1.1.1.1[4500]-2.2.2.2[4500] cookie:ab3cecc374bafd02:0a6fef599a4197e8 lifetime 28800 Sec <====
mp ikemgr.log 2022-01-29 12:33:20 2022-01-29 12:33:20.000 -0600 [PNTF]: { 1: 1}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:20 ====> Initiated SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0x96E53F93 <====
mp ikemgr.log 2022-01-29 12:33:20 2022-01-29 12:33:20.000 -0600 [INFO]: { : 1}: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [PNTF]: { : 1}: ====> IPSEC KEY LIFETIME EXPIRED <====
mp ikemgr.log 2022-01-29 12:33:43 ====> Expired SA: 1.1.1.1[4500]-2.2.2.2[4500] SPI:0xBA57B398/0xEE2C91E1 <====
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [PNTF]: { : 1}: ====> IPSEC KEY DELETED <====
mp ikemgr.log 2022-01-29 12:33:43 ====> Deleted SA: 1.1.1.1[4500]-2.2.2.2[4500] SPI:0xBA57B398/0xEE2C91E1 <====
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.000 -0600 [INFO]: { 1: 1}: SADB_DELETE proto=0 src=1.1.1.1[4500] dst=2.2.2.2[4500] ESP spi=0xBA57B398
mp ikemgr.log 2022-01-29 12:33:43 2022-01-29 12:33:43.001 -0600 [INFO]: { 1: 1}: SPI BA57B398 removed by IPSec lifetime, return 0 0.
mp ikemgr.log 2022-01-29 12:33:45 2022-01-29 12:33:45.000 -0600 [PWRN]: { : 1}: phase-2 sa purge mismatch SPI:0x00000000/0xEE2C91E1.
mp ikemgr.log 2022-01-29 12:33:50 2022-01-29 12:33:50.000 -0600 [PNTF]: { : 1}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:50 ====> Failed SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0x96E53F93 <==== Due to negotiation timeout.
mp ikemgr.log 2022-01-29 12:33:54 2022-01-29 12:33:54.264 -0600 [PNTF]: { 1: 1}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
mp ikemgr.log 2022-01-29 12:33:54 ====> Initiated SA: 1.1.1.1[4500]-2.2.2.2[4500] message id:0xB73A56D5 <====
mp ikemgr.log 2022-01-29 12:33:54 2022-01-29 12:33:54.264 -0600 [INFO]: { : 1}: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
mp ikemgr.log 2022-01-29 12:34:20 2022-01-29 12:34:20.000 -0600 [INFO]: { 1: }: ====> PHASE-1 SA DELETED <====
________________________________________________________________________________________________________
Main firewall logs.
2022-01-29 12:41:47.024 -0800 [PNTF]: { 15: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 12:41:47
====> Initiated SA: 2.2.2.2[4500]-1.1.1.1[27387] message id:0x66FC9DFD <====
ikemgr.log
2022-01-29 12:41:47
2022-01-29 12:41:47.024 -0800 [INFO]: { 15: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
ikemgr.log
2022-01-29 12:41:47
2022-01-29 12:41:47.060 -0800 [PNTF]: { : 27}: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 12:41:47
====> Established SA: 2.2.2.2[4500]-1.1.1.1[27387] message id:0x66FC9DFD, SPI:0xE7255475/0xC6D72D68 <====
2022-01-29 13:11:14
2022-01-29 13:11:14.315 -0800 [PNTF]: { 16: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 13:11:14
====> Initiated SA: 2.2.2.2[4500]-1.1.1.1[9251] message id:0x166DFFE3 <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.315 -0800 [INFO]: { 16: }: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [PNTF]: { : 28}: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2022-01-29 13:11:14
====> Established SA: 2.2.2.2[4500]-1.1.1.1[9251] message id:0x166DFFE3, SPI:0x9A6BF190/0x8DFEDBE1 <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: SADB_UPDATE proto=255 1.1.1.1[9251]=>2.2.2.2[4500] ESP tunl spi 0x9A6BF190 auth=SHA512 enc=AES256-GCM16/36 lifetime soft 3600/0 hard 3600/0
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: SADB_ADD proto=255 2.2.2.2[4500]=>1.1.1.1[9251] ESP tunl spi 0x8DFEDBE1 auth=SHA512 enc=AES256-GCM16/36 lifetime soft 2889/0 hard 3600/0
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: 28}: IPsec-SA established: ESP/Tunnel 1.1.1.1[9251]->2.2.2.2[4500] spi=2590765456(0x9a6bf190)
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [PNTF]: { : 28}: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
ikemgr.log
2022-01-29 13:11:14
====> Installed SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0x9A6BF190/0x8DFEDBE1 lifetime 3600 Sec lifesize unlimited <====
ikemgr.log
2022-01-29 13:11:14
2022-01-29 13:11:14.349 -0800 [INFO]: { 16: }: KA found: 2.2.2.2[4500]->1.1.1.1[9251] (in_use=1)
ikemgr.log
2022-01-29 13:11:19
2022-01-29 13:11:19.033 -0800 [PNTF]: { 16: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=7a0f6094477007ea 51a6613506ffc6f6 (size=16).
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [PNTF]: { : 28}: ====> IPSEC KEY LIFETIME EXPIRED <====
ikemgr.log
2022-01-29 13:11:30
====> Expired SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0xAE67200C/0xCE0E23E8 <====
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [PNTF]: { : 28}: ====> IPSEC KEY DELETED <====
ikemgr.log
2022-01-29 13:11:30
====> Deleted SA: 2.2.2.2[4500]-1.1.1.1[9251] SPI:0xAE67200C/0xCE0E23E8 <====
ikemgr.log
2022-01-29 13:11:30
2022-01-29 13:11:30.000 -0800 [INFO]: { 16: 28}: SADB_DELETE proto=0 src=2.2.2.2[4500] dst=1.1.1.1[9251] ESP spi=0xAE67200C
ikemgr.log
2022-01-29 13:11:32
2022-01-29 13:11:32.000 -0800 [PWRN]: { : 28}: phase-2 sa purge mismatch SPI:0x00000000/0xCE0E23E8.
ikemgr.log
2022-01-29 13:39:57
2022-01-29 13:39:57.766 -0800 [INFO]: { 15: }: initiate negotiation to dynamic peer from IKE gateway Azure01-IKE is not allowed.
02-08-2022 07:55 AM
Setup a VPN tunnel monitoring profile, which will provide pings at a 5 sec intervals, to keep the tunnel up.
02-11-2022 12:58 PM
Hi Steve, Thanks for the response. The issue is now resolved by activating Passive mode on Non dymantic firewall gateway. The remote gateway had dymanic IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
