IPsec VPN between Fortigate and Palo Alto (slowness)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPsec VPN between Fortigate and Palo Alto (slowness)

Hello I've established a vpn w/ a Fortigate using PA-1410. Connections are extremely slow. Can someone provide some guidance to troubleshoot the issues please? Here are some outputs.

 

tunnel  X:XX
        id:                     35
        type:                   IPSec
        gateway id:             14
        local ip:               X.X.X.X
        peer ip:                X.X.X.X
        inner interface:        tunnel.9
        outer interface:        ethernet1/1
        state:                  active
        session:                837652
        tunnel mtu:             1400
        soft lifetime:          3510
        hard lifetime:          3600
        lifetime remain:        3599 sec
        lifesize remain:        4607999 kb
        latest rekey:           1 seconds ago
        monitor:                off
          monitor packets seen: 0
          monitor packets reply:0
        en/decap context:       4371
        local spi:              DD9790D6
        remote spi:             B55B01EA
        key type:               auto key
        protocol:               ESP
        auth algorithm:         SHA1
        enc  algorithm:         AES128
        traffic selector:
          protocol:             0
          local ip range:       10.72.X.X - 10.72.X.X
          local port range:     0 - 65535
          remote ip range:      10.35.X.X - 10.35.X.X
          remote port range:    0 - 65535
        ipsec mode:             tunnel
        anti replay check:      yes
        anti replay window:     1024
        copy tos:               no
        enable gre encap:       no
        initiator:              yes
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       1
        receive sequence:       0
        encap packets:          30292
        decap packets:          8730
        encap bytes:            6511296
        decap bytes:            4974032
        encap IPv4 packets:     30292
        decap IPv4 packets:     8730
        encap IPv4 bytes:       6511296
        decap IPv4 bytes:       4974032
        encap IPv6 packets:     0
        decap IPv6 packets:     0
        encap IPv6 bytes:       0
        decap IPv6 bytes:       0
        key acquire requests:   1
        owner state:            0
        owner cpuid:            s1dp0
        ownership:              1

 

 

1 accepted solution

Accepted Solutions

Hello just for everybody's information... Actually vpn tunnel was being established and closed every two seconds or so. I could check this in the logs. On the monitoring part of the firewall everything seemed normal (Network => IPsec tunnels) but the TS associations were going up and down and traffic was being impacted of course. To check the logs go to Monitor => System and go for this kind of messages (I've filtered using the SPI id on the description). Look for TS association errors => This means proxy ID aren't matching between your Palo Alto firewall and the FW on the other end. You need exact matches. We replaced ASA w/ Palo Alto and the same configuration for crypto maps was not working. Hope this helps someone on the future :).

 

luishoracioarizaga_1-1715350966293.png

 

 

 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

What do you use to measure speed?

Packet loss?

Fragmentation?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

The server takes too long to answer. Websites do not load or take 5,10 minutes to load.

 

Hello, I've found an error... ipsec SA keeps being established and going down every second or two seconds. I don't know why but I least it's a clue

luishoracioarizaga_0-1715178295937.png

 

Cyber Elite
Cyber Elite

This points to mismatching proxy-ids.

Check that encryption domain / proxy-id is exactly the same on both side.

 

If you switch temporarily to IKEv1 then you can see in system log what proxy-id's Fortigate sends to Palo.

 

Otherwise you need to troubleshoot in cli to get this info.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello just for everybody's information... Actually vpn tunnel was being established and closed every two seconds or so. I could check this in the logs. On the monitoring part of the firewall everything seemed normal (Network => IPsec tunnels) but the TS associations were going up and down and traffic was being impacted of course. To check the logs go to Monitor => System and go for this kind of messages (I've filtered using the SPI id on the description). Look for TS association errors => This means proxy ID aren't matching between your Palo Alto firewall and the FW on the other end. You need exact matches. We replaced ASA w/ Palo Alto and the same configuration for crypto maps was not working. Hope this helps someone on the future :).

 

luishoracioarizaga_1-1715350966293.png

 

 

 

  • 1 accepted solution
  • 2034 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!