Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4704
Views
14
Helpful
54
Replies

ASA to Palo Alto VPN

Go to solution
irbk
Level 1
Level 1

‎02-08-2024 07:13 AM

Hello Experts!

I'm setting up a new vpn tunnel to a partner.  ASA on our side Palo Alto on theirs.  When the tunnel connects, it seems to run fine.  However, should the tunnel go down, it will not come back up unless they initiate the traffic.  They claim that both sides can initiate traffic but my logs seem to disagree.  It looks to me like we send a packet to them to establish the tunnel, wait, don't get any response, so we try again, wait, don't get any response so we try again, until we just finally give up.  Can you see something different in the logs?

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (1773): Setting configured policies
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (1773): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2-PROTO-4: (1773): Request queued for computation of DH key
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (1773): Action: Action_Null
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (1773): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (1773): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 3, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA256(1773): SHA256(1773): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (1773): IKE Proposal: 4, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA512(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 5, SPI size: 0 (initial negotiation),
Num. transforms: 8
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): MD5(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 6, SPI size: 0 (initial negotiation),
Num. transforms: 8
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): MD5(1773): SHA512(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 7, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA256(1773): SHA1(1773): SHA256(1773): DH_GROUP_1536_MODP/Group 5IKEv2-PROTO-4: (1773): IKE Proposal: 8, SPI size: 0 (initial negotiation),
Num. transforms: 4
(1773): AES-CBC(1773): SHA1(1773): SHA256(1773): DH_GROUP_2048_MODP/Group 14IKEv2-PROTO-4: (1773): IKE Proposal: 9, SPI size: 0 (initial negotiation),
Num. transforms: 7
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): SHA512(1773): DH_GROUP_521_ECP/Group 21IKEv2-PROTO-4: (1773): IKE Proposal: 10, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 11, SPI size: 0 (initial negotiation),
Num. transforms: 7
(1773): AES-CBC(1773): SHA512(1773): SHA384(1773): SHA256(1773): SHA1(1773): SHA256(1773): DH_GROUP_384_ECP/Group 20IKEv2-PROTO-4: (1773): IKE Proposal: 12, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): AES-CBC(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 13, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): 3DES(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-4: (1773): IKE Proposal: 14, SPI size: 0 (initial negotiation),
Num. transforms: 5
(1773): DES(1773): SHA1(1773): SHA96(1773): DH_GROUP_1536_MODP/Group 5(1773): DH_GROUP_1024_MODP/Group 2(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):
Payload contents:
(1773): SA(1773): Next payload: KE, reserved: 0x0, length: 772
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 76
Proposal: 5, Protocol id: IKE, SPI size: 0, #trans: 8(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 76
Proposal: 6, Protocol id: IKE, SPI size: 0, #trans: 8(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 7, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 8, Protocol id: IKE, SPI size: 0, #trans: 4(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1773): last proposal: 0x2, reserved: 0x0, length: 68
Proposal: 9, Protocol id: IKE, SPI size: 0, #trans: 7(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 10, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 68
Proposal: 11, Protocol id: IKE, SPI size: 0, #trans: 7(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(1773): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 12, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 13, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 14, Protocol id: IKE, SPI size: 0, #trans: 5(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(1773): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(1773): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(1773): KE(1773): Next payload: N, reserved: 0x0, length: 200
(1773): DH group: 5, Reserved: 0x0
(1773):
(1773): 54 8a 75 ca 48 5d 15 44 19 5b fc 78 37 4a dc 08
(1773): 67 02 18 f1 33 d4 78 60 00 9c 07 0d ba 2e 0a a7
(1773): da f4 80 8b b9 0f ef 2b fc ed 69 85 92 1f 18 1d
(1773): 71 32 83 a0 b6 c1 db fa aa e1 7d 95 47 12 d4 6e
(1773): 47 6c c8 1e 05 f9 f5 8c 95 6a 7b bf 2f 96 fc a9
(1773): a2 9e e8 4b 84 9c d4 aa 01 1c d4 ff 64 7a c7 e9
(1773): 03 f0 f5 c0 09 d2 c4 25 a9 65 a6 85 fb 2b 1b 8c
(1773): 80 54 41 c3 a7 03 4b 8d 88 09 b1 bf 1e 1e 5b 79
(1773): 92 e3 0e 18 32 b1 f7 e0 ae ef 1f 8b f0 2e 9a 9e
(1773): 7c b0 6c 3a b6 1f 5f a7 50 52 6c 6c ca 7c 68 29
(1773): 51 89 b7 ff 02 9b 89 1e 03 f7 5a 88 da f1 f8 a1
(1773): 85 49 ed df 63 b1 70 40 3e 21 b0 e4 71 e3 bb 49
(1773): N(1773): Next payload: VID, reserved: 0x0, length: 68
(1773):
(1773): 6a 08 4f 40 76 39 b7 35 0c 2b a9 8d 10 69 87 3c
(1773): 37 24 08 68 c0 28 3c f5 f8 40 bd 97 f6 8b 9f bd
(1773): 25 a4 09 a8 6f f5 72 7a a9 73 a9 bf f6 e2 43 00
(1773): ee b0 92 b7 81 fe d0 88 4e 2a e1 a8 a9 fd 45 72
(1773): VID(1773): Next payload: VID, reserved: 0x0, length: 23
(1773):
(1773): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(1773): 53 4f 4e
(1773): VID(1773): Next payload: NOTIFY, reserved: 0x0, length: 59
(1773):
(1773): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(1773): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(1773): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(1773): 73 2c 20 49 6e 63 2e
(1773): NOTIFY(NAT_DETECTION_SOURCE_IP)(1773): Next payload: NOTIFY, reserved: 0x0, length: 28
(1773): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(1773):
(1773): b1 b8 6f 4e 95 e9 35 4b de f2 e1 ae 79 50 06 12
(1773): d8 81 e9 62
(1773): NOTIFY(NAT_DETECTION_DESTINATION_IP)(1773): Next payload: NOTIFY, reserved: 0x0, length: 28
(1773): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(1773):
(1773): ce 20 67 9b db 8a d3 da 7e 1e 59 a7 4f 74 af d9
(1773): c6 4c c1 59
(1773): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(1773): Next payload: VID, reserved: 0x0, length: 8
(1773): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(1773): VID(1773): Next payload: NONE, reserved: 0x0, length: 20
(1773):
(1773): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1773):
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-4: (1773): Insert SA
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet

For the sake of space, I'll summarize from here on....

(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-4: (1773): Retransmitting packet
(1773):
IKEv2-PROTO-4: (1773): Sending Packet [To 52.x.x.x:500/From 173.x.x.x:500/VRF i0:f0]
(1773): Initiator SPI : 573E7B9E117A16B0 - Responder SPI : 0000000000000000 Message id: 0
(1773): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1773): Next payload: SA, version: 2.0 (1773): Exchange type: IKE_SA_INIT, flags: INITIATOR (1773): Message id: 0, length: 1234(1773):

IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RE_XMT_EXCEED
IKEv2-PROTO-2: (1773): Maximum number of retransmissions reached
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_FAIL
IKEv2-PROTO-4: (1773): Failed SA init exchange
IKEv2-PROTO-2: (1773): Initial exchange failed
IKEv2-PROTO-2: (1773): Initial exchange failed
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (1773): SM Trace-> SA: I_SPI=573E7B9E117A16B0 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (1773): Abort exchange
IKEv2-PROTO-4: (1773): Deleting SA

Am I missing something?  TIA!

Labels:
0 Helpful
54 Replies 54

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 06:58 AM

Did you check palo ipsec lifetime ?

MHM

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 07:16 AM - edited ‎02-15-2024 07:17 AM

Yeah, that's the other kind of weird thing.  I've got 2 IKEv2 policies for AES-256, SHA256, DH14. 1 that is 86400 and 1 that is 28800.  I created the 28800 policy specifically to match the PA side.  I'm told the PA side is set to 28800 so we should be matching up on the 28800 policy, however show crypto isakmp sa shows "Life/Active Time: 86400/7036 sec" so we are clearly matching up on the 86400 policy.  I don't understand why.

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 07:56 AM

There are two lifetime 

One for ipsec secuity abd other for isakmp

Both must be same otherwise one side use SPI that other peer not expire it.

Contact Palo and try match both lifetime 

MHM

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 07:59 AM - edited ‎02-15-2024 08:03 AM

Where would I see the ipsec security lifetime?  Is that the crypto map security-association lifetime?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 08:04 AM

Show crypto ipsec sa detail 

MHM

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 08:19 AM

I'm not seeing where the ipsec security lifetime is?  Is that the crypto map security-association lifetime?  Here is a show crypto ipsec sa detail 


Crypto map tag: outside_map, seq num: 24, local addr: 173.x.x.x

access-list outside_cryptomap_23 extended permit ip host 173.x.x.x host 198.x.x.x
local ident (addr/mask/prot/port): (173.x.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (198.x.x.x/255.255.255.255/0/0)
current_peer: 52.x.x.x


#pkts encaps: 498, #pkts encrypt: 498, #pkts digest: 498
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 498, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 3098721168
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0
#pkts invalid len (send): 0, #pkts invalid len (rcv): 0
#pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0
#pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0
#pkts failed (send): 0, #pkts failed (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 173.x.x.x/4500, remote crypto endpt.: 52.x.x.x/4500
path mtu 1500, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 89C5802F
current inbound spi : 2F16A920

inbound esp sas:
spi: 0x2F16A920 (790014240)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 3130, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008959/23941)
IV size: 16 bytes
replay detection support: N
outbound esp sas:
spi: 0x89C5802F (2311421999)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 3130, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055038/23941)
IV size: 16 bytes
replay detection support: N

Crypto map tag: outside_map, seq num: 24, local addr: 173.x.x.x

access-list outside_cryptomap_23 extended permit ip host 173.x.x.x host 198.x.x.x
local ident (addr/mask/prot/port): (173.x.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (198.x.x.x/255.255.255.255/0/0)
current_peer: 52.x.x.x


#pkts encaps: 557, #pkts encrypt: 557, #pkts digest: 557
#pkts decaps: 308, #pkts decrypt: 308, #pkts verify: 308
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 557, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 3090044080
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0
#pkts invalid len (send): 0, #pkts invalid len (rcv): 0
#pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0
#pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0
#pkts failed (send): 0, #pkts failed (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 173.x.x.x/4500, remote crypto endpt.: 52.x.x.x/4500
path mtu 1500, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DF2418F0
current inbound spi : E5FAD11C

inbound esp sas:
spi: 0xE5FAD11C (3858419996)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 3130, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916798/19097)
IV size: 16 bytes
replay detection support: N
outbound esp sas:
spi: 0xDF2418F0 (3743684848)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 3130, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4331517/19097)
IV size: 16 bytes
replay detection support: N

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to irbk

‎02-15-2024 09:02 AM

Yes, the lifetime for phase 2 is part of the crypto map configs. If you don't change it manually, its default value should be 8 hours. You can see it decrementing in the output you shared in the "sa timing" line. However, please note as I mentioned previously, lifetime is the only value that can be different between two peers, and when the lifetime value is not identical peers will agree on the shortest/lower value between them. That is the case for both phase 1 and phase 2.

From the last output you shared, I can see some encaps and decaps for both SAs. This to me suggests that the tunnel is working, however, one thing to note here is that the encaps are almost double the decaps, which would potentially suggest some asymmetric routing at somewhere that is messing up with the traffic returned from the remote peer. The encaps reflect the traffic in outbound going to the remote peer, and the decaps reflect the inbound traffic coming from the remote peer.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to Aref Alsouqi

‎02-15-2024 10:05 AM

The 8 hours for phase 2 is fine, that matches the PA side as well.  According to what I've been told, the Phase 1 side is 28800, yet I can clearly see that we are agreeing at 86400, even though I do have a policy that would match the 28800 of the PA side.  If the PA side is set to 28800 I don't understand why my side is showing 86400.

As for the encaps/decaps, could it be because, at the moment, a majority of the traffic going through the tunnel (likely 90% or more) is a programmatic tcp ping every 28 minutes to keep the tunnel alive?  

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 10:12 AM

isakmp lifetime mismatch maybe due to IKEv2 select default policy not what you config 
for IPsec security lifetime 
please add this 
 crypto ipsec profile IPsec-Profile
set security-association lifetime kilobytes disable
MHM

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 10:25 AM

crypto map outside_map 24 set  security-association lifetime kilobytes unlimited
has been set.  I've never tried to use a specific IPSec Profile, I'll give it a try. 

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 10:28 AM

no need then if you use crypto map and I see kb is unlimited (i.e. it disable)
let me check the log ypu share again 
thanks 
MHM

0 Helpful

Go to solution
irbk
Level 1
Level 1

‎02-15-2024 11:57 AM

When I changed the crypto map kb to unlimited the tunnel went down.  Came back up a little later with no problems however we were the responder this time, not the initiator.  Also, I've been told that the PA side has been changed to 24 hours to match my 86400 seconds. 
It seems to be when we are the initiator that we have issues with tunnel establishment.  Namely we don't get any responses from them after we send off the "lets establish a tunnel" requests.

Go to solution
MHM Cisco World
VIP
VIP
In response to irbk

‎02-15-2024 12:04 PM

You mention Lifetime kb have been set what you meaning it set before issue or after issue appear?

If after then monitoring the ipsec I think it will stable no issue anymore 

And for initiator or responder it no matter if the lifetime is match between two peer 

MHM

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 12:08 PM

When I set the "security-association lifetime kilobytes unlimited" is what I was referring too.

As for the initiator/responder, it's never been an issue with the connection if we were the responder.  It is when we are the initiator that things seem to be difficult.

0 Helpful

Go to solution
irbk
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2024 12:18 PM

Sorry, re-reading your post and I may have misunderstood your question.

You mention Lifetime kb have been set what you meaning it set before issue or after issue appear?

You recommended to "set security-association lifetime kilobytes disable" in response to this, I used the command "crypto map outside_map 24 set  security-association lifetime kilobytes unlimited" in order to disable the kilobytes part of the lifetime association.  At that point the tunnel dropped.  Coincidently, while the tunnel was down, the PA side did set their lifetime to 24 hours to match my 86400 seconds.  The next time the tunnel established without issues, however I was the responder.  It never seems to be an issue when I'm the responder, only when I'm the initiator.  

0 Helpful
Customers Also Viewed These Support Documents