Re: Intermittent VPN disconnect between Cisco ASA and Palo Alto

ravindra962 · ‎05-08-2020

Hello

I am having an intermittent Connectivity issues between the my Cisco ASA Firewall and my Client Palo Alto Firewall.

Client Firewall:

Hardware: Palo Alto 850

Software: 8.1.6

My Firewall: Cisco ASA 5555, Software: 9.8.3.11

Randomly the VPN tunnel is going down for 5 Mins

In the Logs I see all the IPsec SA's are deleted followed by an error message "VPN Disconnected, Reason:Lost Service". Then approximately 5 mins later. The tunnel is re-established and everything works fine.

On Palo firewall end, during the 5 mins window when the tunnel is down we see the Palo firewall doing a liveness check by Sending an "R U THERE" message to Cisco Peer and after 10 tries (approximately 5 mins) if it doesn't get a response from Cisco it re-establishes the VPN tunnel.

Once the tunnel re-establishes everything is working fine. Since the outage window is very small and happening randomly it was difficult to understand why this is happening.

Any help to identify why this is happening would be much appreciated.

Rob Ingram · ‎05-08-2020

Hi,
Check the configured IPSec and IKE lifetimes on the Palo Alto and ASA are identical, this is one cause of VPNs losing connectivity.

Do you have DPD configured on both the ASA and Palo Alto firewall?

ravindra962 · ‎05-08-2020

Hi

The IKE and IPsec SA timers configured matches on both ends.

I have DPD enabled on the Cisco Firewall.

Sheraz.Salim · ‎05-08-2020

VPN Disconnected, Reason:Lost Service. asa log message id 113019.

have look into this link here what ikev version you on 1 or 2?

please do not forget to rate.

ravindra962 · ‎05-08-2020

The version is IKEv2