IPSec VPN Issue

Reply
Highlighted
L2 Linker

IPSec VPN Issue

Hi,

on a PA 2020 running 4.1.0 is a VPN Gateway configured. A client PA 500 running 4.1.0 with dynamic WAN IP is configured as peer. Both devices can reach each other. In system log is a succesfull phase 1 and phase 2 and a succesfull ipsec connection. After that, a IPSec SA delete message appears and the IPSec key will be deleted. From this time the connection starts again with phase 2.

Does anyone have any ideas?

Regards from Germany

Robert

(newest log entries first)

IPSec key   deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500]   SPI:0xBF6E041B/0xCCA91B0D.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xBF6E041B.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0x993E8A98/0xB4BA9B3F lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929, SPI:0x993E8A98/0xB4BA9B3F.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xF09CB8C7.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xBF6E041B/0xCCA91B0D lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7, SPI:0xBF6E041B/0xCCA91B0D.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xE56D34C4/0xBC5294AA.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xE56D34C4.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5 lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173, SPI:0xF09CB8C7/0xFDD307C5.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173.
Highlighted
L3 Networker

Re: IPSec VPN Issue

do you have a Monitor configured too? I tough I read something about a problem with ipsec and monitors.

Highlighted
L0 Member

Re: IPSec VPN Issue

Hello Robert,

does your problem still exist? Do you have a solution?

I have the same problem with a vpn tunnel to/from a AVM Fritzbox 7330. The problem only occur when the tunnel monitor is active.

Our PA2050 is running software version 4.1.3 .

Any ideas or solutions????

Kind regards,

Sascha

Highlighted
L0 Member

Re: IPSec VPN Issue

Hi,

i had excactly the same Problem today morning. Since the VPN setup wasn't productive yet i decided to delete the complete ipsec and ike setup for the vpns having this problem, before opening a case with Palo Alto Networks.

That did the trick. The vpns are now stable. My assumption is that this had to do with the upgrade from 4.0.5 to 4.1.3, because the vpns where created before the upgrade and every vpn i created after the upgrade also work fine. The Problem did not affect every vpn. Out of about 30 vpns only two where affected.

Hope this helps sombody :smileyhappy:

Highlighted
L6 Presenter

Re: IPSec VPN Issue

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

Highlighted
L0 Member

Re: IPSec VPN Issue

Hi,

mikand wrote:

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

well, i had a look on the config before and after and i see quite some differences in the config ouput. I don't know if this is relevant but the information in the config is the same, but the order in which this is configured is different. I have attached a textfile where you can see the diffences.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!