IPSEC tunnel Phase-2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSEC tunnel Phase-2

L3 Networker

We have created an tunnel with SAP and as per their suggestion we have disabled tunnel monitoring, keepalive settings from our end. It is IKEV2 tunnel.

We noticed that after sometime due to traffic not flowing suddenly Phase-2 is going down, as soon as it goes down we were seeing the issue in connectivity.

As soon as manually trigger the tunnel and if the tunnel comes up, connectivity works again. Any suggestion here.

1 accepted solution

Accepted Solutions

10.2 has DH group 16.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

14 REPLIES 14

Cyber Elite
Cyber Elite

Hello,

Its only a guess, but I think it could be the other side dropping the tunnel due to lack of traffic? I typically use keep alives for this, not sure why they require it disabled.

 

Regards,

L3 Networker

Hi @OtakarKlier ,

 

Thanks for responding. We are not able to ping the customer gateway and as well as network as ping is not allowed from them. Will the keepalive still works in that situation.

Cyber Elite
Cyber Elite

Hello,

The keepalive should still send a ping even if they drop or block it on their end. Meaning that there is traffic on the tunnel. But sounds like their side that might be dropping it? What do the logs state for the tunnel?

 

Regards,

Hi @OtakarKlier ,

 

Thanks for your response. We also noticing that there is no ike-phase-1 delete message being send from Palo-Alto to peer end device.

Whenever we were seeing 1 IKE SA has been created at Palo-Alto , there would be multiple IKE-SA is visible at the peer Cisco router end.

 

 

Cyber Elite
Cyber Elite

How come can you see issues with connectivity if there is no traffic on the tunnel?

"traffic not flowing suddenly Phase-2 is going down, as soon as it goes down we were seeing the issue in connectivity"

 

If you see issues with connectivity it means you do have traffic on the tunnel.

This points to either different Phase1/2 timeout values or their side pulling down tunnel due DPD/Liveness check.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister ,

 

Yes we can see via GUI that IPSEC tunnel info is showing red but the IKE Info is showing always green. In this situation if any traffic has been initiated by backend server communication is allowed with no return traffic. 

There is no keepalive and tunnel monitor is enabled at both the ends. The interested traffic is the telnet traffic which will be randomly initiated by user.

Cyber Elite
Cyber Elite

If peer site does not reply to pings then it would be best to shut down tunnel monitor.

Otherwise Palo thinks that tunnel is down as no tunnel monitor replies.

 

If there is interesting traffic then phase 2 is negotiated and tunnel stays up (or comes up if down).

If you really need tunnel to stay up even if no interesting traffic and remote side is configured not to reply to pings then configure extra fake static route let's say /32 to one of IPs at remote side with ping interval 60 (it is biggest you can set).

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Actually there is no tunnel-monitor or Keepalive configured at both the end. We have kept the continues ping as well from the backend server to the other end IP address to keep the tunnel active. But exactly after 1 hour ( lifespan set for IPSEC phase 2 ) tunnel went down and we started getting timeout for tunnel.

After I using the below two commands , tunnel came up again and ping started working fine.

test vpn ike-sa gateway <gateway_name>

show vpn ike-sa gateway <gateway_name>

 

test vpn ipsec-sa tunnel <tunnel_name>

show vpn ipsec-sa tunnel <tunnel_name>



Cyber Elite
Cyber Elite

On Palo side default Phase 2 timeout is 1 hour.

Seems like VPN settings don't match on both sides.

Other side probably has longer than 1 hour timeout set for Phase 2.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister , Peer end engineer team confirmed that phase-2 lifespan is set for 1 hour only. 

 

Also they have observed one more thing whenever the tunnel goes down, we are using test commands ( both for gateway and ipsec tunnel) to manually bring up the tunnel. We are seeing our phase-1 IKE-SA is being refreshed with newer-spi, but at the peer end which is cisco router 1000 there were multiple SA being generated( older SA is not terminating until they clear it manually)

Hi @Raido_Rattameister ,

 

Also we noticed that even though we are pushing the DHgroup value as 16 from Panorama , Palo-alto firewall taking the configuration at its end as DH14. and as per the communication with Cisco router end we asked them to keep the tunnel parameters as 16. Do you feel will it case any issue.

Cyber Elite
Cyber Elite

You can enable debug on this VPN tunnel and ikemgr.log shows what timeouts other peer negotiates with.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS

 

Set Palo side to be passive so other side initiates connection.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister ,

 

The issue was fixed when we set the DHGroup value as 14 in the other end as well.

One Thing to notice and need clarity is, Will Palo-Alto with 440 model and PAN-OS version 10.1.6-h6 will not supports DHGroup 16 ??? I was able to see only 1,2,5,14, 19 and 20 

10.2 has DH group 16.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 6794 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!