Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
0
Replies

Intermittent Site-to-Site VPN Tunnel connectivity between Cisco ASA and Palo Alto Firewall

ravindra962
Level 1
Level 1

‎07-02-2020 06:09 AM

Hello Friends

 

I am having a L2L VPN tunnel intermittent connectivity problem. The VPN tunnel is built between Cisco ASA (ASA 5555 running ASA Version 9.8) and our client Palo Alto firewall. The tunnel worked fine for 3 months without any problems then suddenly started having intermittent problems.

 

When the issue started our client Palo Alto firewall  engineer recommended to disable the Kilo Bytes lifetime since there are known issues for this with Palo Alto so I disabled it but no use. I also disabled the DPD on this tunnel but I am still seeing the Below error messages. I dont think it's an issue with ISP either because I have around 300 VPN tunnels on the same firewall and they are working fine. I do not think there is an ISP issue on the client end either because the tunnel comes back up and works fine as soon as we bounce the tunnel when the issue happens.

 

Now I cannot figure out why the ASA tears down the tunnel showing the reason as Lost Service. Anyhelp here would be much appreciated.

 

Jul 1 2020 17:07:49 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 17:07:41 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 17:07:40 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 17:07:36 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 17:07:33 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 17:07:31 Cisco Audit %ASA-5-713904: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
Jul 1 2020 16:46:31 Cisco VPN Connection Terminated %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = Client_Peer_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 7h:38m:51s, Bytes xmt: 75477291, Bytes rcv: 7411306, Reason: Lost Service
Jul 1 2020 16:46:31 Cisco ASA Session Terminated %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jul 1 2020 16:46:31 Cisco ASA Internal Error %ASA-6-713235: Group = 1.1.1.1, IP = 1.1.1.1, Attempt to send an IKE packet from standby unit. Dropping the packet!
Jul 1 2020 16:46:31 Cisco VPN Connection Terminated %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = Client_Peer_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 7h:38m:51s, Bytes xmt: 75488551, Bytes rcv: 7412901, Reason: Lost Service
Jul 1 2020 16:46:31 Cisco ASA Session Terminated %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jul 1 2020 16:46:31 Cisco Audit %ASA-3-713902: Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00002aaae7e0e0b0, mess id 0x6866e26e)!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents