01-18-2023 08:35 AM
01-18-2023 09:20 AM
Palo does not try to negotiate tunnel if there is no interesting traffic so tunnel stays down.
Do you see which side is initiator in System log?
Do you have any monitoring configured (on static route for example in virtual router) that might generate traffic that traverses tunnel?
01-18-2023 06:32 PM
The SA is the Security Association - basically the unique encryption key identifier that secures the connection. There is an SA for the IKE connection (phase 1) and one or more SAs for the IPSec connection (phase 2, each data stream). There also may be multiple SAs active when the current SA is about to expire, a new SA may be negotiated prior to the old being deleted. An SA being up means that encryption key has been negotiated between the two sides of the tunnel.
It is easier to just look at the IKE Info and Tunnel Info indications under Network->IPSec Tunnels, but you can see the individual SAs by looking in the system logs at Monitor->Logs->System and filtering by the IKE/IPSec tunnel object. You should see the SA setup and deletions.
Negotiate phase 1 SA:
ike-nego-p1-start - IKE phase-1 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef
ike-nego-p1-succ - IKE phase-1 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef
Negotiate phase 2 SA:
ike-nego-p2-start - IKE phase-2 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D
ike-nego-p2-succ - IKE phase-2 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D SPI:0x1A2B3C4D/0x56AB78CD
ipsec-key-install - IPSec key installed. Installed SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD
Expire and remove the pahse 2 SA:
ipsec-key-expire - IPSec key lifetime expired. Expired SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD
ike-nego-p2-delete - IKE protocol IPSec SA delete message sent to peer SPI:0x1A2B3C4D
01-18-2023 11:18 PM
Hi @Raido_Rattameister / @Adrian_Jensen ,
Thanks for the response. I can see the multiple active SA information from the firewall CLI and default vpn monitoring is configured to the tunnel. But there are no live event logs and also there is no traffic hits on the policy we are observing.
01-19-2023 08:42 AM
Do you have a route pointing your destination traffic to the tunnel or IP on the tunnel? If you look at Network->IPSec Tunnels->[tunnel]->Tunnel Info do you see the counters for packets/data encapsulated and decapsulated increasing? Every packet you successfully send across the VPN should increase the encapsulated count, every packet you receive from the far end should increase the decapsulated count.
If you don't see any association in the Tunnel Info window then you don't have any valid phase 2 SAs. If your encapsulated count is zero then you are not successfully routing traffic out the IPSec tunnel (or your Security Policies are blocking it). If the decapsulated count is zero then the far side is not sending you any packets.
01-31-2023 10:35 PM
Hi @Adrian_Jensen ,
I can see the encapsulation count as zero, but the decapsulation count is increasing continuously. VPN monitor is disabled at both the end.
There is no interesting traffic observed in the monitoring traffic logs.
02-01-2023 06:23 AM - edited 02-01-2023 06:24 AM
Check what is tunnel interface for this VPN tunnel (you see that under Network > IPSec Tunnels).
Let's assume it is 17.
Go to Monitor > Traffic and use filter below.
( interface eq tunnel.17 )
Anything comes up?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
