IPSec VPN restarts very often

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec VPN restarts very often

L1 Bithead

Hallo,

I have defined a IPSec VPN connection with following params:

ike: 3des/sha1/dh5 Lifetime: 8 hours

ipsec: ESP/3des/sha1/dh5 Lifetime: 30 minutes (life size not set, shows 0MB)

ike gateway: main mode, DP enabled

The connection is established but in system log I see very often (every 5 sec.) tunnel is again and again down and up. We have packet lost about 0.5%.

Any ideas? I've already configured the connection from scratch again.

Jacek.

Log file:

2012/09/24 12:36:39    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8C5FC8B5/0xFFFD0AD9.

2012/09/24 12:36:39    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0x8C5FC8B5.

2012/09/24 12:36:38    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xDF1F9E37/0xFFFD0ADA lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:38    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0xCFE39FEB, SPI:0xDF1F9E37/0xFFFD0ADA.

2012/09/24 12:36:38    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0xCFE39FEB.

2012/09/24 12:36:35    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xCDCD7E83/0xFFFD0AD8.

2012/09/24 12:36:35    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0xCDCD7E83.

2012/09/24 12:36:34    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8C5FC8B5/0xFFFD0AD9 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:34    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x756F7417, SPI:0x8C5FC8B5/0xFFFD0AD9.

2012/09/24 12:36:34    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x756F7417.

2012/09/24 12:36:31    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xE36D50CD/0xFFFD0AD7.

2012/09/24 12:36:31    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0xE36D50CD.

2012/09/24 12:36:30    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xCDCD7E83/0xFFFD0AD8 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:30    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x43C3E41C, SPI:0xCDCD7E83/0xFFFD0AD8.

2012/09/24 12:36:30    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x43C3E41C.

2012/09/24 12:36:27    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8D0BBED9/0xFFFD0AD6.

2012/09/24 12:36:27    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0x8D0BBED9.

2012/09/24 12:36:26    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xE36D50CD/0xFFFD0AD7 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:26    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x15CF19C6, SPI:0xE36D50CD/0xFFFD0AD7.

2012/09/24 12:36:26    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x15CF19C6.

1 ACCEPTED SOLUTION

Accepted Solutions

In our case it was caused by the tunnel monitor, after un-selecting the tunnel monitor the phase 2 deletes were back to normal (instead of every 4 sec)


View solution in original post

18 REPLIES 18

L6 Presenter

Since it takes two to tango VPN - what do you have at the other side?

And if possible, could you put one of those peers much closer to your PA to rule out any interference from the network(s) in between?

Also, how is your security policies setup for this traffic?

And is your ipsec setup on a physical interface (which perhaps goes up and down?) or a loopback interface?

I have 3 VPNs running. The problem appeared after some update in 4.1.x with all 3 connections. I can control both sides of only one connection (it's cisco router IPSec with VTI). I've just deleted the configuration on both sides and recreated it with the same parameters and it works now.

The other two VPN partners haven't change a thing and it shows above problem.

All IPSec connections are setup on the same physical interface together with normal internet traffic. I observe no problems with the interface. Security policies allow ssh connections outgoing.

How can I see what makes the connections up and down?

Make sure the Crypto settings are same on both the sides and try initiating the tunnel traffic from the remote side.

Also try configuring the ipsec-crypto to DH group to "no-pfs" on both the sides. Clear the VPN tunnels on the Palo Alto side.

admin@PA> clear vpn ike-sa gateway

  <value>  clear for given IKE gateway

admin@PA> clear vpn ipsec-sa tunnel

  <value>  clear for given VPN tunnel

Try initiate the tunnel from the cisco side.

Monitor the system logs on the firewall to see the IPSEC negotiation. Check to see if the tunnel comes up.

Which version of software are you using on the firewall? There is an issue with software release 4.1.5 where after an upgrade or intermittently IPSec VPN tunnel would not come up when Palo Alto Networks firewall initiates a

connection to a Cisco ASA device. [Bug # 39884] This issue was addressed in S/w 4.1.6.

Let me know if this helps.

Regards

Parth

We have 4.1.7.

I cannot control the other side of tunnel. Those are partners, that request configuration according to their policy. I have checked the ipsec params requested. They are set correct on both sides. IPSec tunnel is established, but in log i can see those IKE deletes every ca. 10 sec. I had to disable information log on syslog.

One on VPNS ends on Fortinet. The only one VPN, that is working has no Proxy-ID defined. The other two with problems have Proxy Ids defined in IPSec tunnel.

I can see any reason for "IKE protocol IPSec SA delete message sent to peer". We experience long RTT and packet lost on those connections.

Jacek.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!