IPSec VPN not getting any response from peer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec VPN not getting any response from peer

Hello,

 

i'm having a weird problem with an IPSec VPN on my Palo Alto.

 

This morning tunnel was working fine, but after mistakenly denying ike and ipsec requests on my firewall, the VPN went down. I obviously did a quick rollback and peer IP is now allowed to request IPSec and IKE.

 

However the VPN won't go up again (other VPN with similar configurations did go UP again).

 

I can ping the peer ip from my Palo Alto IPSec interface (x.175.253.123).

I also did packet capture and i can see that i receive IKE requests from peer (x.151.254.90) : 

christopheguengant_1-1747859953364.png

 

The palo alto logs only show my gateway is sending negociation requests but gets no responder state in return : 

 

christopheguengant_3-1747860298749.png

 

VPN configuration is similar on both sides, no configuration changes were made on VPN at anytime. But i did check, just in case and everything is configured as i should be on both sides.

 

I tried every debug command i can find, without any result. It seems the vpn isn't listening anymore. Can someone help me understand why ?

 

Also, in traffic logs, i can't see IKE or IPSec traffic between both gateways. I can't figure why. Traffic rule exists and is logged at start and end of session.

 

 

 

 

 

 

 

 

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @christophe.guengant ,

 

I would recommend to clear out the current phase 1 and phase 2 SAs so the tunnel can start fresh. Go into the CLI and enter the following commands to clear the stale SAs: 

clear vpn ike-sa gateway <enter gateway name>
clear vpn ipsec-sa tunnel <enter tunnel name>

 

By doing this, you're telling the firewall to renegotiate a brand new connection with the peer. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

3 REPLIES 3

Community Team Member

Hi @christophe.guengant ,

 

I would recommend to clear out the current phase 1 and phase 2 SAs so the tunnel can start fresh. Go into the CLI and enter the following commands to clear the stale SAs: 

clear vpn ike-sa gateway <enter gateway name>
clear vpn ipsec-sa tunnel <enter tunnel name>

 

By doing this, you're telling the firewall to renegotiate a brand new connection with the peer. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

It might be the vpn tunnel can only be set up in 1 direction (this is usually a symptom of a deeper issue). You can try setting your side to 'passive' mode and have the remote end initiate the connection

 

this also has the added benefit of providing far more information in your logging since the recipient can see the incoming requests and the 'reply' (or denial) of the proposed negotiation

 

 

as to a cause, there could be a negotiation hickup where there's too many pairs etc. if you're able to switch the direction of the negotiation and become the receiver, if there's nothing obvious in the logs you can also go into CLI and enable debugging for IKE and IPSec and see what's happening at a lower level

 

 

in troubleshooting ipsec, being the recipient is key 😉 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi, 

 

thanks for your help. It seems i had some dead session blocking renegociation of the ike or ipsec.

The "clear vpn" cli commands didn't seem to work, but did have better results one i killed dead ike or opsec sessions from the GUI (Monitor > Session Browser). (It is good to know that in the session browser it is possible to filter on remote gateway ip).

 

It appears to be a known issue on Palo Alto Firewalls.

  • 1 accepted solution
  • 757 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!