cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1475
Views
0
Helpful
4
Replies

Tunnel between FMC and FTD (both version 6.6.1) won't renegotiate with Palo PA-850 (version 9.1.3) after power loss - must clear sa

ABaker94985
Spotlight
Spotlight

We have a remote location running a PA-850 that has a site-to-site VPN tunnel built to a FTD 2140. The tunnel initially builds OK, and can run months without any problem. The issue is when the remote location loses power and the PA-850 hard boots. The FTD still shows Phase 1 active and Phase 2 show MM_WAIT_MSG2 or MM_WAIT_MSG4 during renegotiation. My apologies, but I didn't keep the debug messages. If I clear phase 1 sa, the tunnel comes right up. 

We migrated to the FTD/FMC in January, and prior to that we had an ASA running ASA firmware. We never had this problem until we moved to the FTD. 

Does anyone have an idea as to what I might check out? Thanks

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you share the output of the following commands:

- sh crypto ikev1 sa

- sh crypto ipsec sa

 

Also have you validated that configs are still matching on both side?

 

I understand you haven't saved debug outputs, but is there any possibility you can run them again and share those information?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for the response, Francesco.

The tunnel is currently up, and I've confirmed the configs match on both sides, and I've also confirmed the VPN configs match between the FTD and the old ASA that never had problems. 

The 'show crypto' commands and the 'debug crypto' commands all look normal when the tunnel is functioning. The tunnel has absolutely no issues until the remote side loses power. We went from early January through mid April before the first power loss, and the tunnel never once hiccupped during this time period. We've had two power losses this month, and the tunnel didn't come up after either.

I'm pretty sure that once the phase 1 timer expired, it would have renegotiated properly - we may decrease the timers. I'm also pretty certain that if the remote side never loses power, the tunnel won't have any problems. I may have to wait for the VPN to break again and put in the debug results.

Can you share your config of tunnel-group?

You should have dpd to tear down the session if the power is gone too long.

What are your timers today?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

DPD is configured. In the FMC under this site-to-site VPN | Advanced | IKE settings, IKE keepalive is set to enable, threshold is set to 10 seconds, retry interval is set to 2 seconds, Identity is set to autoOrDN, and Peer Identity Validation is Required. Here is the tunnel-group info:

 

firepower# sh runn | be tunnel-group Peer_IP
tunnel-group Peer_IP type ipsec-l2l
tunnel-group Peer_IP general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group Peer_IP ipsec-attributes
ikev1 pre-shared-key *****

 

IKE lifetime has been decreased from 86400 to 3600 seconds, and IPSec lifetime was decreased from 28800 to 1200 seconds. We've not had a recent event, so I'm not sure if this will help.

 

I did try to add the following with flexconfig, but nothing changed on the CLI:

tunnel-group Peer_IP ipsec-attributes
isakmp keepalive threshold 10 retry 2

 

Review Cisco Networking for a $25 gift card