AWS-Palo VPN Phase-2 Rekeying

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS-Palo VPN Phase-2 Rekeying

L3 Networker

HI Team

 

We have an issue with AWS Site to Site VPN, where we can see continuous rekeying of Phase-2 tunnels. It's a PA-3220 HA pair. It started happening recently as we can see previously the rekey did happen only after the Lifetime expired (Phase-2 Lifetime set to 3600 sec on both Palo and AWS).

This VPN has been in place for over a year without issues and we recently started seeing these rekeys every minute.

We have checked the Phase-1 and 2 settings which are similar and in IKEMGR.log where we see everytime REKEY happens :

2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: no more child SA to be renegotiated! Check dup IKE SA for new_sa(sn 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 286508) for (SN 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Survice IKE_SA (SN 286508)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 287303) for (SN 286508)

 

Firewall remove the IKE SA as duplicates IKE SAs... we see this happening continuously.

We have already deleted/recreated this issue and tried to clear the vpn completely but still this is happening.

Any leads would be appreciated.

 

TIA!!

 

 

0 REPLIES 0
  • 635 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!