IPSec VPN Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN Issue

L2 Linker

Hi,

on a PA 2020 running 4.1.0 is a VPN Gateway configured. A client PA 500 running 4.1.0 with dynamic WAN IP is configured as peer. Both devices can reach each other. In system log is a succesfull phase 1 and phase 2 and a succesfull ipsec connection. After that, a IPSec SA delete message appears and the IPSec key will be deleted. From this time the connection starts again with phase 2.

Does anyone have any ideas?

Regards from Germany

Robert

(newest log entries first)

IPSec key   deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500]   SPI:0xBF6E041B/0xCCA91B0D.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xBF6E041B.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0x993E8A98/0xB4BA9B3F lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929, SPI:0x993E8A98/0xB4BA9B3F.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xF09CB8C7.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xBF6E041B/0xCCA91B0D lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7, SPI:0xBF6E041B/0xCCA91B0D.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xE56D34C4/0xBC5294AA.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xE56D34C4.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5 lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173, SPI:0xF09CB8C7/0xFDD307C5.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173.
5 REPLIES 5

L3 Networker

do you have a Monitor configured too? I tough I read something about a problem with ipsec and monitors.

L0 Member

Hello Robert,

does your problem still exist? Do you have a solution?

I have the same problem with a vpn tunnel to/from a AVM Fritzbox 7330. The problem only occur when the tunnel monitor is active.

Our PA2050 is running software version 4.1.3 .

Any ideas or solutions????

Kind regards,

Sascha

L0 Member

Hi,

i had excactly the same Problem today morning. Since the VPN setup wasn't productive yet i decided to delete the complete ipsec and ike setup for the vpns having this problem, before opening a case with Palo Alto Networks.

That did the trick. The vpns are now stable. My assumption is that this had to do with the upgrade from 4.0.5 to 4.1.3, because the vpns where created before the upgrade and every vpn i created after the upgrade also work fine. The Problem did not affect every vpn. Out of about 30 vpns only two where affected.

Hope this helps sombody Smiley Happy

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

Hi,

mikand wrote:

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

well, i had a look on the config before and after and i see quite some differences in the config ouput. I don't know if this is relevant but the information in the config is the same, but the order in which this is configured is different. I have attached a textfile where you can see the diffences.

  • 3396 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!