Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Request help with the exact meaning of these IPsec event alerts for Palo Alto.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Request help with the exact meaning of these IPsec event alerts for Palo Alto.

L2 Linker

Hello All, 

I would like to know what is the meaning of the typical events we observe in the IPsec details in the monitor logs. 


ikev2-nego-ike-succ

ikev2-nego-child-succ

ipsec-key-install

ikev2-nego-child-start

ikev2-nego-ike-dpd-dn

ipsec-key-delete

ikev2-nego-stale-p2

ikev2-nego-ike-succ

ipsec-key-expire

 

Kandarp_Desai_0-1678092309340.png

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Kandarp_Desai ,

 

Most of those log messages are located here -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syst....

 

Here is a quick and dirty explanation of each:

 

SA = security association = separate encrypted tunnel

ikev2-nego-ike-succ = IKEv2 Phase 1 successfully negotiated

ikev2-nego-child-succ = IKEv2 Phase 2 successfully negotiated (Child SAs are typically negotiated for each subnet pair)

ipsec-key-install = encryption keys are renewed at regular intervals

ikev2-nego-child-start = a new child SA was created

ikev2-nego-ike-dpd-dn = Dead Peer Detection is down, maybe look at the timers

ipsec-key-delete = encryption keys are renewed at regular intervals

ikev2-nego-stale-p2 = Deleting a possible stale IKEv2 child SA.

ipsec-key-expire = encryption keys are renewed at regular intervals

 

SAs are created and deleted as needed by traffic.  These logs are all normal with the exception of DPD down.  However, since the severity is low, the tunnel probably stayed up.  Here is an article on DPD and tunnel monitoring (2 separate technologies) -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Kandarp_Desai ,

 

Most of those log messages are located here -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syst....

 

Here is a quick and dirty explanation of each:

 

SA = security association = separate encrypted tunnel

ikev2-nego-ike-succ = IKEv2 Phase 1 successfully negotiated

ikev2-nego-child-succ = IKEv2 Phase 2 successfully negotiated (Child SAs are typically negotiated for each subnet pair)

ipsec-key-install = encryption keys are renewed at regular intervals

ikev2-nego-child-start = a new child SA was created

ikev2-nego-ike-dpd-dn = Dead Peer Detection is down, maybe look at the timers

ipsec-key-delete = encryption keys are renewed at regular intervals

ikev2-nego-stale-p2 = Deleting a possible stale IKEv2 child SA.

ipsec-key-expire = encryption keys are renewed at regular intervals

 

SAs are created and deleted as needed by traffic.  These logs are all normal with the exception of DPD down.  However, since the severity is low, the tunnel probably stayed up.  Here is an article on DPD and tunnel monitoring (2 separate technologies) -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

L2 Linker

Thanks for your help Tom !!

@TomYoung 

Hello Tom,

 

I have a question some how related to this post.

I am seeing a lot of events with severity of informational like the below events over and over, multiple of these events in a second.

is it normal?
ikev2-nego-child-succ
ipsec-key-install
ikev2-nego-child-start
ikev2-recv-p2-delete
ipsec-key-delete
ikev2-send-p2-delete
ikev2-nego-ike-succ
ikev2-nego-child-succ
ipsec-key-install
ikev2-nego-child-start
ikev2-nego-ike-start

  • 1 accepted solution
  • 4931 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!