VPN to Azure dropouts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN to Azure dropouts

L2 Linker

I have searched high and low for this and found a few articles regarding IKE configuration and nothing seems to fix it.

 

PAN 3020 v7.0.5. IKE 2 VPN to Azure. The VPN works but around every 50 mintues the tunnel drops out for a few minutes then re-establishes. I have tried various different IKE and IPsec settings as per advice from Palo Alto articles, Microsoft Azure articles and settings from a comment against a Palo Alto article that the commentor said worked. No joy.

 

From the Azure console there is no way of checking IPsec ettings.

 

Any help would be good.

35 REPLIES 35

Update from Support:

 

Just wanted to give you an update after doing further research, the problem may not lies with Microsoft Azure but instead it is likely a bug on PAN OS 7.0.5 where PAN doesn't send a delete SA packet during a Child SA rekeying (phase 2) in IKEv2. This happens when PAN is the initiator for Child SA rekey (Phase 2) so the workaround to this is still the same as what was indicated in my previous email which is to increase Phase 2 lifetime on PAN from 3600s to a value that is longer then MS Azure Phase 2 lifetime. With this approach, Microsoft Azure will always be the initiator for phase 2 rekeying process.

 

I have set  the phase 2 lifetime at 5400 secs and it seems stable.

Hello mate,

 

Good to know. We are running this VPN on the 7.1.3 PANOS so no problem with this CHILD_SA timers. Glad it is sorted now.

 

Cheers,

Myky

I ran into a similar issue with Cisco ASA.  IPSEC tunnels have been around for a very long time, and as long as you are very specific about the proposals and all the rest, it's solid. So  I doubt the issue is with the IPSEC-tunnel setup on the client-side.  The Microsoft-side is a different story, since you have no visibility whatsoever.

 

First, verify that your onprem/azure network definitions match exactly on either end of the tunnel. Next, count how many networks you've defined for your onprem side.  Microsoft has a very poorly documented artificial limitation on the default number of networks you can define for onprem. It's something like 25 or 50.  So, if you have more subnets defined, then you will experience random disconnections.  The tunnel itself wil be up, but you won't be able to reach anything for anywhere from 1-15 minutes.

 

Good luck!

Hello,

 

It is been sometime. l know your tunnel is up and running now. Could you please confirm for me if you are getting this warning messages:

 

2016-09-08 10:05:30 [PROTO_WARN]: 15994:x.x.x.x[500] - x.x.x.x[500]:0x9247c08:vendor id payload ignored
2016-09-08 10:05:30 [PROTO_WARN]: 15994:x.x.x.x[500] - x.x.x.x[500]:0x9247c08:vendor id payload ignored
2016-09-08 10:05:30 [PROTO_WARN]: 15994:x.x.x.x[500] - x.x.x.x[500]:0x9247c08:vendor id payload ignored
2016-09-08 10:05:30 [PROTO_WARN]: 15994:x.x.x.x[500] - x.x.x.x[500]:0x9247c08:vendor id payload ignored

 

Messages are from the IKE SA renegotiating, should see them every 24 or so. 

 

Cheers,

Myky

I do see them but not regularly. Every few days maybe. I am not actively mointoring the tunnel as it was a pilot for VM deploymentt to Azure so not in production.

 

general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:vendor id payload ignored
general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:vendor id payload ignored
general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:vendor id payload ignored
general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:vendor id payload ignored
general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
general informational 858:x.x.x.x[500] - x.x.x.x[500]:0x8f13fa0:ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:vendor id payload ignored
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:vendor id payload ignored
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:vendor id payload ignored
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:vendor id payload ignored
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
general informational 855:x.x.x.x[500] - x.x.x.x[500]:0x8f12fd8:ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)

 

 

what was the solution

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
  • 19531 Views
  • 35 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!