IKEv2 with liveness check to detect network connectivity problem

IKEv2 with liveness check to detect network connectivity problem

110520
Created On 09/25/18 19:52 PM - Last Modified 09/14/20 22:44 PM


Resolution


IKEv2 has been introduced in PAN-OS 7.0. With this version of IKE, it is able to do a liveness check through phase 1 SA if there is any problem with underlying network connectivity (for example, physical interface is connected). This option is not enabled by default. 
IKEv2_11.png

IKEv2_12.png

The default interval of liveness checking is every 5 seconds when SA is idle. Upon losing connection, the firewall will do 10 liveness retries with increasing timeout (seconds) for each retry as follows:
1 + 2 + 4 + 8 + 16 + 32 + 64 + 64 + 64 + 64 = 319 seconds (about 5 minutes)

After maxium retries are reached, the firewall will tear down phase 1 and phase 2 (child) SAs. Currently, the number of retries and wait time between each retry are not configurable in PAN-OS 7.0. IKEv2_13.png

Please note that the associated interface tunnel status, however, will remain up and as any static routing egress to this interface tunnel will also stay active. Therefore, in order to failover traffic to a backup path requires additional an function such as phase 2 tunnel-monitoring, policy-based forwarding, or a dynamic routing protocol such as BGP or OSPF.

Output from show command:

> show vpn ike-sa detail gateway [IKE GW name]

 

IKE Gateway GW, ID 35 2.2.2.2 => 1.1.1.1
Current time: Mar.01 13:49:56

IKE SA:
SPI: 8669654AB024E4AE:CABD66D702C02131 Init
State: Established
SN: 4
Authentication: PSK, peer PSK
Proposal: AES256-CBC/SHA256/DH5
ID local: ipaddr:2.2.2.2
remote: ipaddr:1.1.1.1
ID_i: IPv4_address:2.2.2.2
ID_r: IPv4_address:1.1.1.1
NAT: Not detected
Message ID: rx 35, tx 37
Liveness check: sending informational packet after idle 5 seconds


Output from ikemgr.log when IKEv2 liveness detects a connectivity problem:

2016-03-01 14:27:06.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 1 limit 10
2016-03-01 14:27:08.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 2 limit 10
2016-03-01 14:27:12.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 3 limit 10
2016-03-01 14:27:20.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 4 limit 10
2016-03-01 14:27:36.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 5 limit 10
2016-03-01 14:28:08.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 6 limit 10
2016-03-01 14:29:12.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 7 limit 10
2016-03-01 14:30:16.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 8 limit 10
2016-03-01 14:31:20.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): IKEv2 transmit {GW:6-I}: child id 150, retry cnt 9 limit 10

2016-03-01 14:32:24 [PROTO_ERR]: ikev2.c:1005:ikev2_timeout(): 6:1.1.1.1[500] - 2.2.2.2[500]:(nil):retransmission count exceeded the limit

 

2016-03-01 14:32:24 [INFO]: ike_sa.c:275:ikev2_abort(): 6:1.1.1.1[500] - 2.2.2.2[500]:(nil):aborting IKEv2 SA GW:6
2016-03-01 14:32:24.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): ... IKEv2 SA state {GW:6-I}: SA dying from state ESTABLISHED, caller ikev2_abort

2016-03-01 14:32:24 [DEBUG]: ikev2.c:1174:ikev2_set_state(): 6:1.1.1.1[500] - 2.2.2.2[500]:(nil):ike_sa 0x827b210 state ESTABLISHED -> DYING: func ikev2_set_state, caller ikev2_set_sa_dying
2016-03-01 14:32:24.890 +0800 debug: ikev2_set_state(protocols/ikev2/ikev2.c:1239): keeping retransmit while state changed to DYING, CID 150, child 0x827b210

 

 

Additional Information


For information on IKEv1 DPD and how to enable Phase 2 Tunnel Monitor, please see Dead Peer Detection and Tunnel Monitoring

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language