We have VPN between Palo Alto and Cisco FMC/FTD. There is user and server traffic on VPN. VPN status is stable. I don't have any user complaining about disconnection. But I am seeing disconnection on specific proxyid. All of sudden I am getting ICMP request time out on working connection. Facing request time out when ping is from Server which is behind Palo Alto. To make connection up, either I need to generate Interesting traffic from FMC or ping from Server which is behind FMC. This restore request time out issue from the Server which is behind Palo Alto. I don't undertstand what could be reason for behind this specific connection. yshaikhadmin@SPDORC-FW02(active)> show vpn flow tunnel-id 358 Request time out started, checked vpn flow: yshaikhadmin@SPDORC-FW02(active)> show vpn flow tunnel-id 358 tunnel Orbit:test-mig-1 id: 358 type: IPSec gateway id: 9 local ip: x peer ip: x inner interface: tunnel.17 outer interface: ethernet1/1 state: active session: 444419 tunnel mtu: 1428 lifetime remain: 2475 sec lifesize remain: 4607944 kb latest rekey: 1125 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 5679 local spi: 9F518E95 remote spi: 8EBEAD75 key type: auto key protocol: ESP auth algorithm: SHA1 enc algorithm: AES256 proxy-id: local ip: x remote ip: x protocol: 0 local port: 0 remote port: 0 anti replay check: no copy tos: no authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 645 receive sequence: 0 encap packets: 58580 decap packets: 14429 encap bytes: 5230576 decap bytes: 1274216 key acquire requests: 1 owner state: 0 owner cpuid: s1dp0 ownership: 1 when I started ping from server behind cisco FMC then ping restored. I can see that rekeying happens. tunnel Orbit:test-mig-1 id: 358 type: IPSec gateway id: 9 local ip: x peer ip: x inner interface: tunnel.17 outer interface: ethernet1/1 state: active session: 197328 tunnel mtu: 1428 lifetime remain: 3594 sec lifesize remain: 4607999 kb latest rekey: 6 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 391 local spi: 8D78AF05 remote spi: 90040096 key type: auto key protocol: ESP auth algorithm: SHA1 enc algorithm: AES256 proxy-id: local ip: x remote ip: x protocol: 0 local port: 0 remote port: 0 anti replay check: no copy tos: no authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 4 receive sequence: 0 encap packets: 58593 decap packets: 14433 encap bytes: 5231720 decap bytes: 1274568 key acquire requests: 1 owner state: 0 owner cpuid: s1dp0 ownership: 1 yshaikhadmin@SPDORC-FW02(active)> I think after rekeying process, some how Palo Alto not able to keep this connection alive, not sure why
... View more