Site 2 Site VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site 2 Site VPN

L2 Linker

We have a S2S VPN set up with a Juniper SRX at a partner site.

The P1 key life time is 8hr and P2 life time is 1hr

 

We are seeing that the VPN drops quite frequiently. After they have had a look at the logs they are saying that during the re-key phase our end is timeing out. 

 

I am not sure how to get debug logs , we run PAN OS 7.1.7

 

The have provided some logs from their appliance

++++++++++++++++++++++++++

[May 26 14:59:13 PIC 2/1/0 KMD2]P1 SA 298686138 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.

[May 26 14:59:13 PIC 2/1/0 KMD2]iked_pm_ike_sa_delete_done_cb: For p1 sa index 298686138, ref cnt 2, status: Error ok

[May 26 14:59:13 PIC 2/1/0 KMD2]ike_remove_callback: Start, delete SA = { 9199f4de 2130d33b - 00000000 00000000}, nego = -1

[May 26 14:59:13 PIC 2/1/0 KMD2]185.xx.xx.xx:500 (Initiator) <-> 212.xx.xx.xx:500 { 9199f4de 2130d33b - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1

[May 26 14:59:13 PIC 2/1/0 KMD2]iked_pm_ike_sa_done: UNUSABLE p1_sa 298686138

[May 26 14:59:13 PIC 2/1/0 KMD2]  IKEv1 Error : Timeout

[May 26 14:59:13 PIC 2/1/0 KMD2]IPSec Rekey for SPI 0x0 failed

[May 26 14:59:13 PIC 2/1/0 KMD2]IPSec SA done callback called for sa-cfg GT-ike-vpn- local:185.10.xx.xx, remote:212.240.xx.xx IKEv1 with status Timed out

++++++++++++++

 

Can any one point me in the right direction.

6 REPLIES 6

L6 Presenter

Do you allow ipsec traffic from another end to your external interface:

 

policy.JPG

 

 185.xx.xx.xx:500 (Initiator) my understanding this is SRX interface? If this ip is initiator make sure you allow above app

And (or only) application: ike

Do you have drops in the traffic log between your gw ip and the other side?

Yes I have some dropped traffic comeing from the remote end

 

pa.png

 

What I am unclear of is why does the dest end deemed to be internal , when it is my public IP.

Do I need a new rule to allow this ?

 

Interesting. I think l had this before (or very similar issue). Can you please make sure to clear all active sessions from the session browser on your box from the external ip address (SRX):

 

Z.JPG

 

For sure your destination zone should be External 😉

I also had a very similar issue where we had dropped packets when a rekey occured. Maybe you should give 7.1.9 (thats the version where the problem was gone in my case) or 7.1.10 a chance ...

Cyber Elite
Cyber Elite

@RC-BHF,

I've noticed this with quite a few ASAs; upgrading to 7.1.9 seems to have fixed the issue for us in our case; before the upgrade I had simply just set the key life to the point where it wouldn't rekey in business hours, kind of a hacky solution but it worked fine until I could upgrade the unit. 

  • 3448 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!