- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-09-2024 01:01 PM
HI Team
We have an issue with AWS Site to Site VPN, where we can see continuous rekeying of Phase-2 tunnels. It's a PA-3220 HA pair. It started happening recently as we can see previously the rekey did happen only after the Lifetime expired (Phase-2 Lifetime set to 3600 sec on both Palo and AWS).
This VPN has been in place for over a year without issues and we recently started seeing these rekeys every minute.
We have checked the Phase-1 and 2 settings which are similar and in IKEMGR.log where we see everytime REKEY happens :
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: no more child SA to be renegotiated! Check dup IKE SA for new_sa(sn 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 286508) for (SN 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Survice IKE_SA (SN 286508)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 287303) for (SN 286508)
Firewall remove the IKE SA as duplicates IKE SAs... we see this happening continuously.
We have already deleted/recreated this issue and tried to clear the vpn completely but still this is happening.
Any leads would be appreciated.
TIA!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!