SA of the tunnel is Active

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SA of the tunnel is Active

L3 Networker

Hi Team,

Can anybody tell the meaning of "What it means if the SA of the tunnel is up "?, Does it mean there is live communication in the tunnel. 

8 REPLIES 8

Cyber Elite
Cyber Elite

Palo does not try to negotiate tunnel if there is no interesting traffic so tunnel stays down.

Do you see which side is initiator in System log?

Do you have any monitoring configured (on static route for example in virtual router) that might generate traffic that traverses tunnel?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L6 Presenter

The SA is the Security Association - basically the unique encryption key identifier that secures the connection. There is an SA for the IKE connection (phase 1) and one or more SAs for the IPSec connection (phase 2, each data stream). There also may be multiple SAs active when the current SA is about to expire, a new SA may be negotiated prior to the old being deleted. An SA being up means that encryption key has been negotiated between the two sides of the tunnel.

 

It is easier to just look at the IKE Info and Tunnel Info indications under Network->IPSec Tunnels, but you can see the individual SAs by looking in the system logs at Monitor->Logs->System and filtering by the IKE/IPSec tunnel object. You should see the SA setup and deletions.

Negotiate phase 1 SA:

ike-nego-p1-start - IKE phase-1 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef

ike-nego-p1-succ - IKE phase-1 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] cookie:012345abcdef

Negotiate phase 2 SA:

ike-nego-p2-start - IKE phase-2 negotiation started as responder. Initiated SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D

ike-nego-p2-succ - IKE phase-2 negotiation succeeded as responder. Established SA 1.2.3.4[500]-5.6.7.8[500] id:0x9F8E7C6D SPI:0x1A2B3C4D/0x56AB78CD

ipsec-key-install - IPSec key installed. Installed SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD

Expire and remove the pahse 2 SA:

ipsec-key-expire - IPSec key lifetime expired. Expired SA 1.2.3.4[500]-5.6.7.8[500] SPI:0x1A2B3C4D/0x56AB78CD

ike-nego-p2-delete - IKE protocol IPSec SA delete message sent to peer SPI:0x1A2B3C4D

 

Hi @Raido_Rattameister / @Adrian_Jensen ,

 

Thanks for the response. I can see the multiple  active SA information from the firewall CLI and default vpn monitoring is configured to the tunnel. But there are no live event logs and also there is no traffic hits on the policy we are observing.

L6 Presenter

Do you have a route pointing your destination traffic to the tunnel or IP on the tunnel? If you look at Network->IPSec Tunnels->[tunnel]->Tunnel Info do you see the counters for packets/data encapsulated and decapsulated increasing? Every packet you successfully send across the VPN should increase the encapsulated count, every packet you receive from the far end should increase the decapsulated count.

 

If you don't see any association in the Tunnel Info window then you don't have any valid phase 2 SAs. If your encapsulated count is zero then you are not successfully routing traffic out the IPSec tunnel (or your Security Policies are blocking it). If the decapsulated count is zero then the far side is not sending you any packets. 

L3 Networker

Hi @Adrian_Jensen ,

 

Thanks for the response and will check on the above.

L3 Networker

Hi @Adrian_Jensen ,

 

I can see the encapsulation count as zero, but the decapsulation count is increasing continuously. VPN monitor is disabled at both the end.
There is no interesting traffic observed in the monitoring traffic logs.



 

Cyber Elite
Cyber Elite

Check what is tunnel interface for this VPN tunnel (you see that under Network > IPSec Tunnels).

Let's assume it is 17.

 

Go to Monitor > Traffic and use filter below.

( interface eq tunnel.17 )

 

Anything comes up?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister ,

 

Thanks for the filter. Yes I can see 'ping' and 'snmp' related traffics.

  • 2824 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!