11-15-2021 06:11 AM - edited 11-15-2021 06:12 AM
We've a IPsec-VPN IKEv2 between Palo Alto (10.0.7) and Barracuda (8.0.5-0341) with 10 IPsec tunnels, one VPN-tunnel per subnet-pair, on Palo side "proxy IDs".
At least once every day, some of these ipsec-tunnels go down and can only be forced to come up again with manual "initiate" on Barracuda.
The Palo Alto is set to passive.
Normally, every 35 - 45 minutes a new ipsec-tunnel for a subnet-pair is installed and the old one deleted (logs on both sides). But when the error occurs, the newly established ipsec-tunnel is deleted immediatly (in the same second) after is has been installed.
These logs also are seen on both ends of the tunnel, so it can not be sayed which end causes the problem and why.
Then it is down until manual "initiate".
Any ideas?
Of course we checked timers, subnets and masks etc.
Thanks.
11-15-2021 07:41 AM
Hello,
When the tunnels go down, is there lack of traffic? Meaning some devices, not sure about Barracuda, will drop tunnels if no traffic is going across them. If you setup tunnel monitor, the PAN will send a ping periodically across the tunnel to help keep it up.
Hope that helps.
11-15-2021 07:58 AM
Thanks four reply.
But we already are pinging through some of the tunnels (5 minutes intervall) and there it also happens.
And I think the ipsec-tunnel should be coming up when traffic is going through it, even when there was some time without traffic, otherwise it is useless.
05-10-2022 11:52 PM
Hey 🙂
We have the same issue. Could you figure out what the problem was?
05-11-2022 12:28 AM
Unfortunately not. We moved from Barracuda (Azure cloud) to the Azure-VPN-GW
05-12-2022 02:05 PM - edited 05-12-2022 02:06 PM
Hmm 😞 We have a F280 on Prem at our office and have the issue you have described with a palo alto on the other side.
A fix would be great 🙂 Or when someone has an idea.
The question in my opinion is which firewall causes this. Barracuda or Palo.
05-13-2022 01:08 PM
Hello,
I just reread the initial issue, any reason you have 10 tunnels between the two devices? 1 is sufficient, its all encrypted.
Regards,
05-15-2022 11:59 PM
We have only 1 Tunnel with 8 local networks as an IKEv2 Tunnel.
But we have the same problem as in the beginning question.
We run a Barracuda F280. The other Side has a Palo Alto PA-5250
05-17-2022 12:41 PM
Hello,
The only other thing I could suggest is to try Ikev1.
Regards,
07-01-2022 02:19 AM
Hi guys,
we had the same issue you're describing and got the recommendation from Barracuda Support to use "IKE Reauthentication" and disable "Restart SA on Close" at the tunnel settings if the partner is a Palo Alto.
That worked for us and the tunnel is stable since we changed the settings.
07-14-2022 06:28 AM
Hi All,
We had this problem, tried a lot of things and were getting nowhere. We were using multiple Proxy IDs /24 networks on the Palo Altos as well.
We changed IKE Phase 1 lifetime to 86400 seconds (24 hours)
Kept IKE Phase 2 lifetime to 3600 seconds
And what I believe resolved the issue, summarized the /24 Proxy ID networks to a couple of /19 Proxy IDs that covered most networks.
This reduced the IPSec VPN tunnels being created and resolved the issue. We still kept a couple of /24 networks that couldn't be summarized, but we reduced the Proxy ID entries from 20+ to 5.
I hope this helps.
Regards,
Simon
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
