03-06-2023 12:52 AM
Hello All,
I would like to know what is the meaning of the typical events we observe in the IPsec details in the monitor logs.
ikev2-nego-ike-succ
ikev2-nego-child-succ
ipsec-key-install
ikev2-nego-child-start
ikev2-nego-ike-dpd-dn
ipsec-key-delete
ikev2-nego-stale-p2
ikev2-nego-ike-succ
ipsec-key-expire
03-06-2023 04:13 PM
Hi @Kandarp_Desai ,
Most of those log messages are located here -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syst....
Here is a quick and dirty explanation of each:
SA = security association = separate encrypted tunnel
ikev2-nego-ike-succ = IKEv2 Phase 1 successfully negotiated
ikev2-nego-child-succ = IKEv2 Phase 2 successfully negotiated (Child SAs are typically negotiated for each subnet pair)
ipsec-key-install = encryption keys are renewed at regular intervals
ikev2-nego-child-start = a new child SA was created
ikev2-nego-ike-dpd-dn = Dead Peer Detection is down, maybe look at the timers
ipsec-key-delete = encryption keys are renewed at regular intervals
ikev2-nego-stale-p2 = Deleting a possible stale IKEv2 child SA.
ipsec-key-expire = encryption keys are renewed at regular intervals
SAs are created and deleted as needed by traffic. These logs are all normal with the exception of DPD down. However, since the severity is low, the tunnel probably stayed up. Here is an article on DPD and tunnel monitoring (2 separate technologies) -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK.
Thanks,
Tom
03-06-2023 04:13 PM
Hi @Kandarp_Desai ,
Most of those log messages are located here -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syst....
Here is a quick and dirty explanation of each:
SA = security association = separate encrypted tunnel
ikev2-nego-ike-succ = IKEv2 Phase 1 successfully negotiated
ikev2-nego-child-succ = IKEv2 Phase 2 successfully negotiated (Child SAs are typically negotiated for each subnet pair)
ipsec-key-install = encryption keys are renewed at regular intervals
ikev2-nego-child-start = a new child SA was created
ikev2-nego-ike-dpd-dn = Dead Peer Detection is down, maybe look at the timers
ipsec-key-delete = encryption keys are renewed at regular intervals
ikev2-nego-stale-p2 = Deleting a possible stale IKEv2 child SA.
ipsec-key-expire = encryption keys are renewed at regular intervals
SAs are created and deleted as needed by traffic. These logs are all normal with the exception of DPD down. However, since the severity is low, the tunnel probably stayed up. Here is an article on DPD and tunnel monitoring (2 separate technologies) -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK.
Thanks,
Tom
03-08-2023 09:06 AM
Thanks for your help Tom !!
05-07-2024 06:35 AM
Hello Tom,
I have a question some how related to this post.
I am seeing a lot of events with severity of informational like the below events over and over, multiple of these events in a second.
is it normal?
ikev2-nego-child-succ
ipsec-key-install
ikev2-nego-child-start
ikev2-recv-p2-delete
ipsec-key-delete
ikev2-send-p2-delete
ikev2-nego-ike-succ
ikev2-nego-child-succ
ipsec-key-install
ikev2-nego-child-start
ikev2-nego-ike-start
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
