This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSec VPN Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN Issue

robert.hoffmann
L2 Linker

‎12-16-2011 05:48 AM

Hi,

on a PA 2020 running 4.1.0 is a VPN Gateway configured. A client PA 500 running 4.1.0 with dynamic WAN IP is configured as peer. Both devices can reach each other. In system log is a succesfull phase 1 and phase 2 and a succesfull ipsec connection. After that, a IPSec SA delete message appears and the IPSec key will be deleted. From this time the connection starts again with phase 2.

Does anyone have any ideas?

Regards from Germany

Robert

(newest log entries first)

IPSec key   deleted. Deleted SA: 217.68.167.208[500]-212.122.61.23[500]   SPI:0xBF6E041B/0xCCA91B0D.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xBF6E041B.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0x993E8A98/0xB4BA9B3F lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929, SPI:0x993E8A98/0xB4BA9B3F.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x3C2F0929.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xF09CB8C7.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xBF6E041B/0xCCA91B0D lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7, SPI:0xBF6E041B/0xCCA91B0D.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x921F14E7.
IPSec key deleted. Deleted SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xE56D34C4/0xBC5294AA.
IKE protocol IPSec SA delete message   sent to peer. SPI:0xE56D34C4.
IPSec key installed. Installed SA:   217.68.167.208[500]-212.122.61.23[500] SPI:0xF09CB8C7/0xFDD307C5 lifetime   3600 Sec lifesize unlimited.
IKE phase-2 negotiation is succeeded as   initiator, quick mode. Established SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173, SPI:0xF09CB8C7/0xFDD307C5.
IKE phase-2 negotiation is started as   initiator, quick mode. Initiated SA: 217.68.167.208[500]-212.122.61.23[500]   message id:0x593A6173.
0 Likes Likes
5 REPLIES 5

gsteiner
L3 Networker

‎12-19-2011 03:13 AM

do you have a Monitor configured too? I tough I read something about a problem with ipsec and monitors.

0 Likes Likes

SaschavD
L0 Member

‎03-02-2012 04:51 AM

Hello Robert,

does your problem still exist? Do you have a solution?

I have the same problem with a vpn tunnel to/from a AVM Fritzbox 7330. The problem only occur when the tunnel monitor is active.

Our PA2050 is running software version 4.1.3 .

Any ideas or solutions????

Kind regards,

Sascha

0 Likes Likes

tobias
L0 Member

‎04-27-2012 01:36 AM

Hi,

i had excactly the same Problem today morning. Since the VPN setup wasn't productive yet i decided to delete the complete ipsec and ike setup for the vpns having this problem, before opening a case with Palo Alto Networks.

That did the trick. The vpns are now stable. My assumption is that this had to do with the upgrade from 4.0.5 to 4.1.3, because the vpns where created before the upgrade and every vpn i created after the upgrade also work fine. The Problem did not affect every vpn. Out of about 30 vpns only two where affected.

Hope this helps sombody Smiley Happy

mikand
L6 Presenter
In response to tobias

‎04-28-2012 04:22 AM

Do you have a pre-conf and post-conf to compare on what the differences are?

In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

0 Likes Likes

tobias
L0 Member
In response to mikand

‎04-30-2012 04:58 AM

Hi,

mikand wrote:
Do you have a pre-conf and post-conf to compare on what the differences are?
In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that?

well, i had a look on the config before and after and i see quite some differences in the config ouput. I don't know if this is relevant but the information in the config is the same, but the order in which this is configured is different. I have attached a textfile where you can see the diffences.

differences.txt.zip
0 Likes Likes
  • 3392 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks