PA 7.1.0 - IPSec SA goes into create delete loop after enabling tunnel monitor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA 7.1.0 - IPSec SA goes into create delete loop after enabling tunnel monitor

L0 Member

 

Hi, 

 

I am facing a strange issue in IPSec connection with PA (7.1.0) and strongswan (5.6.2) where I see Paloalto starts sending CREATE_CHILD_SA rekey requests to strongswan when I enable tunnel monitor. Earlier we were using strongswan (5.3.5) and didn't have issue with tunnel monitor, but recently we upgraded strongswan to 5.6.2 and started seeing issue with PA(7.1.0).

When we tested strongswan 5.6.2 with PA (8.0.1) did not see this issue and tunnel is stable even after enabling tunnel monitor. 

What might be wrong here ?

Is it compatibility issue of latest strongswan(5.6.2) with old version of PA(7.1.0)

 

Strongswan logs

==============

Sep 19 08:50:32 13[ENC] <peer-10.15.18.11-tunnel-vti|1> generating CREATE_CHILD_SA response 8 [ SA No KE TSi TSr ]
Sep 19 08:50:32 13[NET] <peer-10.15.18.11-tunnel-vti|1> sending packet: from 10.15.18.160[4500] to 10.15.18.11[4500] (348 bytes)
Sep 19 08:50:33 14[NET] <peer-10.15.18.11-tunnel-vti|1> received packet: from 10.15.18.11[4500] to 10.15.18.160[4500] (428 bytes)
Sep 19 08:50:33 14[ENC] <peer-10.15.18.11-tunnel-vti|1> parsed CREATE_CHILD_SA request 9 [ N(REKEY_SA) SA No KE TSi TSr ]
Sep 19 08:50:33 14[IKE] <peer-10.15.18.11-tunnel-vti|1> inbound CHILD_SA peer-10.15.18.11-tunnel-vti{3} established with SPIs cb060f5e_i 8862ba52_o and TS 0.0.0.0/0 === 0.0.0.0/0
Sep 19 08:50:33 14[ENC] <peer-10.15.18.11-tunnel-vti|1> generating CREATE_CHILD_SA response 9 [ SA No KE TSi TSr ]
Sep 19 08:50:33 14[NET] <peer-10.15.18.11-tunnel-vti|1> sending packet: from 10.15.18.160[4500] to 10.15.18.11[4500] (348 bytes)
Sep 19 08:50:37 16[NET] <peer-10.15.18.11-tunnel-vti|1> received packet: from 10.15.18.11[4500] to 10.15.18.160[4500] (428 bytes)
Sep 19 08:50:37 16[ENC] <peer-10.15.18.11-tunnel-vti|1> parsed CREATE_CHILD_SA request 10 [ N(REKEY_SA) SA No KE TSi TSr ]
Sep 19 08:50:37 16[IKE] <peer-10.15.18.11-tunnel-vti|1> inbound CHILD_SA peer-10.15.18.11-tunnel-vti{4} established with SPIs c4eda173_i be53eb66_o and TS 0.0.0.0/0 === 0.0.0.0/0
Sep 19 08:50:37 16[ENC] <peer-10.15.18.11-tunnel-vti|1> generating CREATE_CHILD_SA response 10 [ SA No KE TSi TSr ]
Sep 19 08:50:37 16[NET] <peer-10.15.18.11-tunnel-vti|1> sending packet: from 10.15.18.160[4500] to 10.15.18.11[4500] (348 bytes)
Sep 19 08:50:41 15[NET] <peer-10.15.18.11-tunnel-vti|1> received packet: from 10.15.18.11[4500] to 10.15.18.160[4500] (428 bytes)
Sep 19 08:50:41 15[ENC] <peer-10.15.18.11-tunnel-vti|1> parsed CREATE_CHILD_SA request 11 [ N(REKEY_SA) SA No KE TSi TSr ]
Sep 19 08:50:41 15[IKE] <peer-10.15.18.11-tunnel-vti|1> inbound CHILD_SA peer-10.15.18.11-tunnel-vti{5} established with SPIs c9cb3476_i cd5423a3_o and TS 0.0.0.0/0 === 0.0.0.0/0
Sep 19 08:50:41 15[ENC] <peer-10.15.18.11-tunnel-vti|1> generating CREATE_CHILD_SA response 11 [ SA No KE TSi TSr ]
Sep 19 08:50:41 15[NET] <peer-10.15.18.11-tunnel-vti|1> sending packet: from 10.15.18.160[4500] to 10.15.18.11[4500] (348 bytes)
Sep 19 08:50:45 05[NET] <peer-10.15.18.11-tunnel-vti|1> received packet: from 10.15.18.11[4500] to 10.15.18.160[4500] (428 bytes)
Sep 19 08:50:45 05[ENC] <peer-10.15.18.11-tunnel-vti|1> parsed CREATE_CHILD_SA request 12 [ N(REKEY_SA) SA No KE TSi TSr ]
Sep 19 08:50:45 05[IKE] <peer-10.15.18.11-tunnel-vti|1> inbound CHILD_SA peer-10.15.18.11-tunnel-vti{6} established with SPIs c721717d_i ed927b62_o and TS 0.0.0.0/0 === 0.0.0.0/0

=============

 

Paloalto logs screen shot

 

pa-logs.png

 

6 REPLIES 6

L2 Linker

Are you really using version 7.1.0 ? Maybe it is already fixed. Why you dont try the lasted recommenced version 7.1.19?

 

We are using PA 7.1.0 for testing IPSec with strongswan. We can upgrade to new version but just curious on

was there issue with tunnel monitoring in 7.1.0 and why didn't we hit it with strongswan 5.3.5 and also is it not recommended to use PA 7.1.0 for IPSec in production deployment ?

 

 

I just recommend that you test with the lasted recommended Version of PANOS. If you still got the issue, open a support case could help, if you believe it could be a problem of the 7.1.x release.

Recommended Version in 7.1.x are 7.1.17 / 7.1.18 / 7.1.19

If you using DNS Proxy's on your PA, i personelly would recommend Version 7.1.19.

Version 7.1.0 was the first inital release, so it is very old. I wouldn't use it anymore in a productive deployment. I mean it was released in April 2016.

@pritamkharat,

7.1.0 is not recommend in any case, I wouldn't even really recommend using it in a lab enviroment. There are security issues present in 7.1.0 that are significant by themselves that were patched in later releases, lots of known issues revolving around IPSec issues have been patched throughout the code base, strongSwan is specifically mentioned three times within known issues within 7.1 code in addressed issues itself. 

 

Hello,

Also make sure that that the destination tunnel monitor IP has a proper route.

 

But definitly upgrade like others have stated.

 

Regards,

Seeing this issue in version 8.0.5

  • 3215 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!