Palo Alto - Barracuda IPsec VPN problems

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto - Barracuda IPsec VPN problems

L2 Linker

We've a IPsec-VPN IKEv2 between Palo Alto (10.0.7) and Barracuda (8.0.5-0341) with 10 IPsec tunnels, one VPN-tunnel per subnet-pair, on Palo side "proxy IDs".

At least once every day, some of these ipsec-tunnels go down and can only be forced to come up again with manual "initiate" on Barracuda.
The Palo Alto is set to passive.

Normally, every 35 - 45 minutes a new ipsec-tunnel for a subnet-pair is installed and the old one deleted (logs on both sides). But when the error occurs, the newly established ipsec-tunnel is deleted immediatly (in the same second) after is has been installed.
These logs also are seen on both ends of the tunnel, so it can not be sayed  which end causes the problem and why.
Then it is down until manual "initiate".
Any ideas?
Of course we checked timers, subnets and masks etc.
Thanks.

12 REPLIES 12

Cyber Elite
Cyber Elite

Hello,

When the tunnels go down, is there lack of traffic? Meaning some devices, not sure about Barracuda, will drop tunnels if no traffic is going across them. If you setup tunnel monitor, the PAN will send a ping periodically across the tunnel to help keep it up.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunne...

 

Hope that helps.

L2 Linker

Thanks four reply.
But we already are pinging through some of the tunnels (5 minutes intervall) and there it also happens.
And I think the ipsec-tunnel should be coming up when traffic is going through it, even when there was some time without traffic, otherwise it is useless.

Hey 🙂

 

We have the same issue. Could you figure out what the problem was?

Unfortunately not. We moved from Barracuda (Azure cloud) to the Azure-VPN-GW

Hmm 😞 We have a F280 on Prem at our office and have the issue you have described with a palo alto on the other side. 

 

A fix would be great 🙂 Or when someone has an idea.

 

The question in my opinion is which firewall causes this. Barracuda or Palo.

Cyber Elite
Cyber Elite

Hello,

I just reread the initial issue, any reason you have 10 tunnels between the two devices? 1 is sufficient, its all encrypted.

Regards,

We have only 1 Tunnel with 8 local networks as an IKEv2 Tunnel.

 

But we have the same problem as in the beginning question.

We run a Barracuda F280. The other Side has a Palo Alto PA-5250

L1 Bithead

So no one has an idea ?

Cyber Elite
Cyber Elite

Hello,

The only other thing I could suggest is to try Ikev1.

Regards,

 

L0 Member

Hi guys,

 

we had the same issue you're describing and got the recommendation from Barracuda Support to use "IKE Reauthentication" and disable "Restart SA on Close" at the tunnel settings if the partner is a Palo Alto.

 

That worked for us and the tunnel is stable since we changed the settings.

L0 Member

Hi All,

 

We had this problem, tried a lot of things and were getting nowhere. We were using multiple Proxy IDs /24 networks on the Palo Altos as well.

We changed IKE Phase 1 lifetime to 86400 seconds (24 hours)

Kept IKE Phase 2 lifetime to 3600 seconds

And what I believe resolved the issue, summarized the /24 Proxy ID networks to a couple of /19 Proxy IDs that covered most networks. 

This reduced the IPSec VPN tunnels being created and resolved the issue. We still kept a couple of /24 networks that couldn't be summarized, but we reduced the Proxy ID entries from 20+ to 5.

I hope this helps.

 

Regards,

Simon

L1 Bithead

No one here who has an other idea except Ikev1 ?

  • 14107 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!