Ok the first message at 13:47 is that the cisco requests to delete the SA and a new SA is established right after that. Do you have DPD activated on the PA?
I would check again if the proxy IDs are matching and if the cisco has some dead SAs installed.
here are the DPD config:
crypto isakmp keepalive 10 5
Proxy IDs are not set on PA. On Cisco also no extra proxy ID config is installed. Do we have to configure proxy IDs? Suggestions how???
the link mentioned earlier in this discussion was removed as the article was outdated and no longer accurate
please take a look here : https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-and-tunneling-resource-list/ta-p/6772...
Hope this helps
DPD is not supported on Cisco. This is a Palo Alto feature. You will see that in the ike logs.
Dead Peer Detection (DPD) refers to functionality documented in RFC 3706, which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!