Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IPSec VPN restarts very often

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN restarts very often

L1 Bithead

Hallo,

I have defined a IPSec VPN connection with following params:

ike: 3des/sha1/dh5 Lifetime: 8 hours

ipsec: ESP/3des/sha1/dh5 Lifetime: 30 minutes (life size not set, shows 0MB)

ike gateway: main mode, DP enabled

The connection is established but in system log I see very often (every 5 sec.) tunnel is again and again down and up. We have packet lost about 0.5%.

Any ideas? I've already configured the connection from scratch again.

Jacek.

Log file:

2012/09/24 12:36:39    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8C5FC8B5/0xFFFD0AD9.

2012/09/24 12:36:39    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0x8C5FC8B5.

2012/09/24 12:36:38    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xDF1F9E37/0xFFFD0ADA lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:38    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0xCFE39FEB, SPI:0xDF1F9E37/0xFFFD0ADA.

2012/09/24 12:36:38    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0xCFE39FEB.

2012/09/24 12:36:35    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xCDCD7E83/0xFFFD0AD8.

2012/09/24 12:36:35    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0xCDCD7E83.

2012/09/24 12:36:34    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8C5FC8B5/0xFFFD0AD9 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:34    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x756F7417, SPI:0x8C5FC8B5/0xFFFD0AD9.

2012/09/24 12:36:34    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x756F7417.

2012/09/24 12:36:31    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xE36D50CD/0xFFFD0AD7.

2012/09/24 12:36:31    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0xE36D50CD.

2012/09/24 12:36:30    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xCDCD7E83/0xFFFD0AD8 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:30    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x43C3E41C, SPI:0xCDCD7E83/0xFFFD0AD8.

2012/09/24 12:36:30    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x43C3E41C.

2012/09/24 12:36:27    ipsec-key-delete    IPSec key deleted. Deleted SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0x8D0BBED9/0xFFFD0AD6.

2012/09/24 12:36:27    ike-send-p2-delete    IKE protocol IPSec SA delete message sent to peer. SPI:0x8D0BBED9.

2012/09/24 12:36:26    ipsec-key-install    IPSec key installed. Installed SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] SPI:0xE36D50CD/0xFFFD0AD7 lifetime 1800 Sec lifesize unlimited.

2012/09/24 12:36:26    ike-nego-p2-succ    IKE phase-2 negotiation is succeeded as initiator, quick mode. Established SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x15CF19C6, SPI:0xE36D50CD/0xFFFD0AD7.

2012/09/24 12:36:26    ike-nego-p2-start    IKE phase-2 negotiation is started as initiator, quick mode. Initiated SA: XX.XX.XX.XX[500]-YY.YY.YY.YY[500] message id:0x15CF19C6.

18 REPLIES 18

@Support_LTC:-

This was also our experience. Your suggestion to remove the tunnel monitor resolved our identical problem. Many thanks!

why did deactivation the replay-protection resolve your issue?

Sorry, I was not logged in for a while.

I am not really sure. The tunnel between PA-VM and ScreenOS 6.3. did not become stable for long. (300Mbit max throughput , 20ms latency, no measurable packet loss).

L0 Member

Hello,

 

We were also running into same issue, with NO tunnel monitors.

 

Every 3 seconds or 5 seconds our SPI will change, or reset to different; indicating that new 'interesting traffic' has been selected.

 

It was very weird behavior, certain hosts could ping fine but others wouldn't, tunnel kept resetting every 3-5 seconds.

 

The remote end/peer was Fortinet firewall.  Turns out, our peer was doing 'strict phase 2 IP selection' in Route-Based Tunnel.  In other words, in palo alto, even in route-based tunnel, we had to define proxy ID, and everything started to come normal!!!!!

  • 30961 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!