Hi folks. I have a situation with site-to-site VPN's on my Palo Alto's which I could use some help diagnosing. I have a number of remote teleworkers who have a company-provided Cisco 887 router, which is used to run a site-to-site, IPSEC VPN to link into our internal network. This works fine in 99% of cases, but there's always one with an issue. One of the remote users has a "naked DSL" service (unbundled local loop) - which means that she has no associated POTS phone line - and the Cisco 887 router doesn't do VoIP. This means is that when she's *not* working, she unplugs our company Cisco and plugs in the ISP-provided router so she can use the VoIP phone. This ISP provided device doesn't support IPSEC VPN's, so it doesn't attempt to initiate one. However, *something* this remote worker is doing is leaving a process running *somewhere* in our internal network which causes the PAN device to try and initiate the VPN tunnel constantly - continually timing-out, and trying again, vis-a-vis (IP addresses obfuscated) IKE phase-1 SA is deleted SA: AAA.BBB.CCC.DDD[500]-WWW.XXX.YYY.ZZZ[500] cookie:10c77cfa24089c96:0000000000000000. 03/04 11:55:34 IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: AAA.BBB.CCC.DDD[500]-WWW.XXX.YYY.ZZZ[500] cookie:10c77cfa24089c96:0000000000000000. Due to timeout. 03/04 11:55:34 IKE phase-1 negotiation is started as initiator, main mode. Initiated SA: AAA.BBB.CCC.DDD[500]-WWW.XXX.YYY.ZZZ[500] cookie:10c77cfa24089c96:0000000000000000. As you can see, this is being initiated by my PAN device, not by the remote end. Is there some command 9CLI or GUI, I don't care) I can use to try and determine WHAT is causing the tunnel initiation? Exactly what interesting traffic is being used to kick of this negotiation? I suspect she's leaving a connection running to *something* in the network which generates regular traffic at the other end (quite possibly a streaming audio source), but I need to find out what before I can get onto her and say "before you unplug your router, can you make sure you disconnect <THIS>, please, because it's causing additional load on the firewall". Thanks for any help!
... View more