IPSEC VPN tunnel getting disconnected.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC VPN tunnel getting disconnected.

L0 Member

IPSEC VPN tunnel got disconnected abruptly. We need to find out what could have caused this from the logs and adjust the VPN parameters accordingly.

 

 

From logs i found this.

 

 

ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.814 +0000 [PNTF]: { 5: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2021-10-15 03:35:11
====> Initiated SA: 10.67.2.4[500]-129.146.18.218[500] message id:0x7AEB6BD2 <====
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.874 +0000 [PNTF]: { : 11}: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====
ikemgr.log
2021-10-15 03:35:11
====> Established SA: 10.67.2.4[500]-129.146.18.218[500] message id:0x7AEB6BD2, SPI:0xFF264BC0/0x2E688DE1 <====
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.874 +0000 [INFO]: { 5: 11}: SADB_UPDATE proto=255 129.146.18.218[500]=>10.67.2.4[500] ESP tunl spi 0xFF264BC0 auth=SHA1 enc=AES256/32 lifetime soft 3600/0 hard 3600/0
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.874 +0000 [INFO]: { 5: 11}: SADB_ADD proto=255 10.67.2.4[500]=>129.146.18.218[500] ESP tunl spi 0x2E688DE1 auth=SHA1 enc=AES256/32 lifetime soft 3040/0 hard 3600/0
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.874 +0000 [INFO]: { 5: 11}: IPsec-SA established: ESP/Tunnel 129.146.18.218[500]->10.67.2.4[500] spi=4280699840(0xff264bc0)
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.874 +0000 [PNTF]: { : 11}: ====> IPSEC KEY INSTALLATION SUCCEEDED <====
ikemgr.log
2021-10-15 03:35:11
====> Installed SA: 10.67.2.4[500]-129.146.18.218[500] SPI:0xFF264BC0/0x2E688DE1 lifetime 3600 Sec lifesize unlimited <====
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.875 +0000 [INFO]: { 5: 11}: SPI FF264BC0 inserted by IPSec responder, return 0 0.
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.876 +0000 [INFO]: { 5: 11}: SPI AD383876 removed by keymodify, return 0 0.
ikemgr.log
2021-10-15 03:35:11
2021-10-15 03:35:11.926 +0000 [PNTF]: { 4: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=c7

 

 

 

and 

 

 

 

2021-10-15 05:40:14.000 +0000 [PNTF]: { : 3}: ====> IPSEC KEY LIFETIME EXPIRED <====
ikemgr.log
2021-10-15 05:40:14
====> Expired SA: 10.67.2.4[500]-193.122.168.108[500] SPI:0x89D515AF/0x9B4C01EE <====
ikemgr.log
2021-10-15 05:40:14
2021-10-15 05:40:14.000 +0000 [PNTF]: { : 3}: ====> IPSEC KEY DELETED <====
ikemgr.log
2021-10-15 05:40:14
====> Deleted SA: 10.67.2.4[500]-193.122.168.108[500] SPI:0x89D515AF/0x9B4C01EE <====
ikemgr.log
2021-10-15 05:40:14
2021-10-15 05:40:14.000 +0000 [INFO]: { 2: 3}: SADB_DELETE proto=0 src=10.67.2.4[500] dst=193.122.168.108[500] ESP spi=0x89D515AF
ikemgr.log
2021-10-15 05:40:14
2021-10-15 05:40:14.003 +0000 [INFO]: { 2: }: IKE IPSEC KEY_DELETE recvd: SPI:0x9B4C01EE.
ikemgr.log
2021-10-15 05:40:14
2021-10-15 05:40:14.003 +0000 [PWRN]: { : 3}: phase-2 sa purge mismatch SPI:0x00000000/0x9B4C01EE.
ikemgr.log
2021-10-15 05:40:16
2021-10-15 05:40:16.476 +0000 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=d28831c36d68199a df9f3ea275e758eb (size=16).
ikemgr.log
2021-10-15 05:40:17
2021-10-15 05:40:17.231 +0000 [PNTF]: { 4: }: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=c7831ca6999b3f2d 61b387c15d5e8f48 (size=16).

 

 

Can anyone help on this.

One one side it is palo alto the other side it is oracle.

2 REPLIES 2

Community Team Member

Hi @RPrasad3 ,

 

It could be a good idea to review and confirm if all the settings from both sides are the same (phase 1 & 2 lifetime amongst other things).  When there is a mismatch, the most common result is that the VPN stops functioning when one site's lifetime expires.

 

For more verbose logging information you might want to increase logging level to 'debug' if the problem persists.

Also check the system logs in the same time frame as they might highlight proposal, negotiation and/or other issues.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Cyber Elite
Cyber Elite

@RPrasad3,

As @kiwi already mentioned review your settings and ensure that both sides actually match. From your logs it appears that lifetime values don't match on both sides which would lead to this sort of problem. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!