This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPsec VPN between Fortigate and Palo Alto (slowness)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPsec VPN between Fortigate and Palo Alto (slowness)

Go to solution
luishoracio.arizaga
L2 Linker

‎05-08-2024 06:14 AM - edited ‎05-10-2024 07:25 AM

Hello I've established a vpn w/ a Fortigate using PA-1410. Connections are extremely slow. Can someone provide some guidance to troubleshoot the issues please? Here are some outputs.

 

tunnel  X:XX
        id:                     35
        type:                   IPSec
        gateway id:             14
        local ip:               X.X.X.X
        peer ip:                X.X.X.X
        inner interface:        tunnel.9
        outer interface:        ethernet1/1
        state:                  active
        session:                837652
        tunnel mtu:             1400
        soft lifetime:          3510
        hard lifetime:          3600
        lifetime remain:        3599 sec
        lifesize remain:        4607999 kb
        latest rekey:           1 seconds ago
        monitor:                off
          monitor packets seen: 0
          monitor packets reply:0
        en/decap context:       4371
        local spi:              DD9790D6
        remote spi:             B55B01EA
        key type:               auto key
        protocol:               ESP
        auth algorithm:         SHA1
        enc  algorithm:         AES128
        traffic selector:
          protocol:             0
          local ip range:       10.72.X.X - 10.72.X.X
          local port range:     0 - 65535
          remote ip range:      10.35.X.X - 10.35.X.X
          remote port range:    0 - 65535
        ipsec mode:             tunnel
        anti replay check:      yes
        anti replay window:     1024
        copy tos:               no
        enable gre encap:       no
        initiator:              yes
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       1
        receive sequence:       0
        encap packets:          30292
        decap packets:          8730
        encap bytes:            6511296
        decap bytes:            4974032
        encap IPv4 packets:     30292
        decap IPv4 packets:     8730
        encap IPv4 bytes:       6511296
        decap IPv4 bytes:       4974032
        encap IPv6 packets:     0
        decap IPv6 packets:     0
        encap IPv6 bytes:       0
        decap IPv6 bytes:       0
        key acquire requests:   1
        owner state:            0
        owner cpuid:            s1dp0
        ownership:              1

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
luishoracio.arizaga
L2 Linker

‎05-10-2024 07:24 AM

Hello just for everybody's information... Actually vpn tunnel was being established and closed every two seconds or so. I could check this in the logs. On the monitoring part of the firewall everything seemed normal (Network => IPsec tunnels) but the TS associations were going up and down and traffic was being impacted of course. To check the logs go to Monitor => System and go for this kind of messages (I've filtered using the SPI id on the description). Look for TS association errors => This means proxy ID aren't matching between your Palo Alto firewall and the FW on the other end. You need exact matches. We replaced ASA w/ Palo Alto and the same configuration for crypto maps was not working. Hope this helps someone on the future :).

 

luishoracioarizaga_1-1715350966293.png

 

 

 

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-08-2024 06:47 AM

What do you use to measure speed?

Packet loss?

Fragmentation?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
luishoracio.arizaga
L2 Linker
In response to Raido_Rattameister

‎05-08-2024 06:54 AM

The server takes too long to answer. Websites do not load or take 5,10 minutes to load.

 

0 Likes Likes

Go to solution
luishoracio.arizaga
L2 Linker

‎05-08-2024 07:25 AM

Hello, I've found an error... ipsec SA keeps being established and going down every second or two seconds. I don't know why but I least it's a clue

luishoracioarizaga_0-1715178295937.png

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-08-2024 08:16 AM

This points to mismatching proxy-ids.

Check that encryption domain / proxy-id is exactly the same on both side.

 

If you switch temporarily to IKEv1 then you can see in system log what proxy-id's Fortigate sends to Palo.

 

Otherwise you need to troubleshoot in cli to get this info.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
luishoracio.arizaga
L2 Linker

‎05-10-2024 07:24 AM

Hello just for everybody's information... Actually vpn tunnel was being established and closed every two seconds or so. I could check this in the logs. On the monitoring part of the firewall everything seemed normal (Network => IPsec tunnels) but the TS associations were going up and down and traffic was being impacted of course. To check the logs go to Monitor => System and go for this kind of messages (I've filtered using the SPI id on the description). Look for TS association errors => This means proxy ID aren't matching between your Palo Alto firewall and the FW on the other end. You need exact matches. We replaced ASA w/ Palo Alto and the same configuration for crypto maps was not working. Hope this helps someone on the future :).

 

luishoracioarizaga_1-1715350966293.png

 

 

 

0 Likes Likes
  • 1 accepted solution
  • 776 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks