I have a B2B tunnel with a business partner. There are 22 proxies, all defined host-to-host. The VPN peer is a Cisco firewall, I'm not sure of the model. Phase 2 lifetime is 8 hours. One particular SA stops sending and receiving traffic at each Phase 2 re-negotiation. When this happens the SA shows active on my PA-3250, PAN-OS 9.1.10 and on the partner's Cisco. On my side I see encaps and no decaps, on his side he doesn't see my traffic for this SA coming in. No other SAs in this tunnel experience this issue. The only way I have found to recover from this is to either bounce the tunnel (not desirable as it is in production and has other SAs that are just fine) or to remove the proxy for the affected host-to-host pair and re-add it. Either method works every time, until the next Phase 2 re-negotiation. This tunnel is not new, it has been running fine for a year+. There is nothing particularly special about this tunnel as compared with my 80+ other B2B VPNs. This started happening about a week after upgrading from PAN-OS 9.0.13 to 9.1.10, but that is essentially the only change and no other tunnels are affected. What could be affecting a single SA like this and not affecting the others within the same tunnel? The Cisco engineer at the business partner site is competent. We've compared his encryption domain against my proxies. We've made sure our SPIs match. He's working the same issue from his side and neither of us is pointing a finger at the other, it could be either firewall or both. Thanks. Pete
... View more