cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

AWS-Palo VPN Phase-2 Rekeying

L3 Networker

HI Team

 

We have an issue with AWS Site to Site VPN, where we can see continuous rekeying of Phase-2 tunnels. It's a PA-3220 HA pair. It started happening recently as we can see previously the rekey did happen only after the Lifetime expired (Phase-2 Lifetime set to 3600 sec on both Palo and AWS).

This VPN has been in place for over a year without issues and we recently started seeing these rekeys every minute.

We have checked the Phase-1 and 2 settings which are similar and in IKEMGR.log where we see everytime REKEY happens :

2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: no more child SA to be renegotiated! Check dup IKE SA for new_sa(sn 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 286508) for (SN 287321)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Survice IKE_SA (SN 286508)
2024-04-09 11:16:21.933 -0400 [INFO]: { 3: }: Found dup IKE SA (SN 287303) for (SN 286508)

 

Firewall remove the IKE SA as duplicates IKE SAs... we see this happening continuously.

We have already deleted/recreated this issue and tried to clear the vpn completely but still this is happening.

Any leads would be appreciated.

 

TIA!!

 

 

Who Me Too'd this topic