locked
Receiving ikev2 delete messages with ipsec s2s tunnel to PA FW. RRS feed

  • Question

  • Hello,

    I have problem with my site to site vpn connection between Palo Alto Firewall and Azure Networks.

    I made all the configuration and everything looked like it was working however i keep getting disconnects every 5-6mins. It is not happening - it goes on EVERY single 5-6min. I just can't keep in up all the time. I started digging into logs on Palo Alto and after successfull creating of tunnel it receives: IKEv2 IPSec SA delete message received from peer. Protocol ESP, Num of SPI: 1

    I have no idea why this is happening. Any solutions?

    PanOS is 7.1.0.

    Tuesday, September 27, 2016 11:58 AM

Answers

  • Hello

    I contacted azure support and go my issue resolved. In the end it turned out it is not a issue it is a feature...

    Anyway if there is no traffic flowing Azure drops the tunnel after 5min. You can't stop it. However, after it gets droped Azure starts initiating it once again anyway. Why is this working like this? No idea, got information it is like this by design.

    Friday, September 30, 2016 11:47 AM

All replies

  • Hello,

    Thank you for posting on the Azure forums!

    Have you used Policy Based (Static) or Route based (Dynamic) VPN configuration? I went through a couple of documents from the Palo Alto Networks page and this might be because the IKE negotiations are failing.

    On the PAN-OS firewall under the IPSec Tunnels menu option, check the UI to ensure that the tunnel you created is up and running. The status columns for the IKE Gateway and the Tunnel Interface should be green if IKEv2 negotiated correctly and the IPSec Phase 2 tunnel was brought up.

    Also check the logs to see if there are any IKE negotiations failing. For PAN-OS greater than 7.0 I suggest you got though https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-Environment/ta-p/60340 for configuration details if you have not already.

    Another thing to keep in mind is the security policy on the Palo Alto firewall side. Check if there are any deny rules blocking the connection attempt.

    Let me know if you need additional help.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Tuesday, September 27, 2016 5:26 PM
  • Hello,

    as i said the tunnels are green, working, up whatever you want to call it. However they keep restarting. Also i did exactlly the same thing as you mentioned with that link. I thought it worked, but then it started going on/off. It's not like the tunnels are down for 10min and then going up. It is around 30 seconds before it goes up again.

    I used Route Based. There is no deny traffic in logs, just the tunnel flapping. 

    Sorry for late answer, i should get an email notification you replied, but for some reason i did not get it.
    • Edited by Ask4Support Wednesday, September 28, 2016 8:47 PM
    Wednesday, September 28, 2016 8:47 PM
  • Hello,

    By what you are saying the configuration part seems to be correct. However, to isolate the issue we need to understand if the issue is on the Azure Gateway end or the PanOS end.

    Run the diagnostics for the VPN gateway and check what is found:

    For a Classic VNet you can refer to https://gallery.technet.microsoft.com/scriptcenter/Azure-Virtual-Network-2b4d0793

    For a ARM VNet you can refer to https://blogs.technet.microsoft.com/keithmayer/2015/12/07/step-by-step-capturing-azure-resource-manager-arm-vnet-gateway-diagnostic-logs/

    in case this does not show you any indication of the issue then the next step would be to either contact Palo Alto Networks support or the Azure support. We would need to check with the network logs to identify why the drop in connection appears.

    Regards,

    Loydon

    ________________________________________________________________________________________________________________
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Thursday, September 29, 2016 10:16 AM
  • Hello

    I contacted azure support and go my issue resolved. In the end it turned out it is not a issue it is a feature...

    Anyway if there is no traffic flowing Azure drops the tunnel after 5min. You can't stop it. However, after it gets droped Azure starts initiating it once again anyway. Why is this working like this? No idea, got information it is like this by design.

    Friday, September 30, 2016 11:47 AM