LIVEcommunity - Who Me Too'd this topic

Hello everybody, I'm having a weird issue with VPNs between a Palo Alto Cloud Firewall (PanOS9.1.3h) and Cisco Meraki Z3.All VPN Tunnels are established propely, but after a random period of time during the rekey step, a tunnel stays online, but network traffic can't be send anymore. We are currently having 5 of these connections with the same issues.

I was able to capture a log, but I'm not able to troubleshoot it. Did some anonymization, see link attached. LOG

On the Meraki site/log, you can see the there are two steps happening repeatedly on a working tunnel.

inbound CHILD_SA

outbound CHILD_SA

At the time the error occurs, the outbound step is missing.

Any ideas?

Here are the tunnel settings IKEv2

On Palo side

IPSec Crypto profile

IPSec Protocol ESP

DH group 2

LT 1h

Encryption aes-256-gcm/cbc

Authentication

sha256

IKW Crypto profile

DH Group

group2

Encryption

aes-256-cbc

Authentication

sha 256

Key LT 8h

IKEv2 Authentication Multiple 5

On Meraki side

Phase1

Encryption

AES 256

Authentication

SHA256

Pseudo-random Function

Defaults to Authentication

Diffie-Hellman group

Lifetime (sec)

28800

Phase2

Encryption

AES 256

Authentication

SHA256

PFS group

Liftime (sec)

3600

Palo Alto IKE GW Options

Passive mode Enabled

NAT-T Enabled

Advanced Option

Strict Cookie Validation turned off

Liveness Check

Interval (sec) 5

Who Me Too'd this topic

L1 Bithead

Me Too date:

Unlock your full community experience!

Who Me Too'd this topic

Rekey causes VPN tunnel to stop sending network traffic