Palo Alto Networks Knowledgebase: IPSec VPN IKE Phase 1 is Down but Tunnel is Active
IPSec VPN IKE Phase 1 is Down but Tunnel is Active
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
Inside of the WebGUI > Network> IPSec Tunnels, the IKE Gateway Status (Phase 1) light is red, whereas the IPSec Tunnel (Phase 2) light is green. However, traffic still continues to flow through the tunnel properly. After some time, the IKE Gateway Status light returns to green. Is this normal?
VPN Status showing Phase 1 down (Red) but Phase 2 up (Green)
This is normal behavior.
The purpose of Phase 1 (IKE Gateway Status) is to set up a secure channel for subsequent Phase 2 (IPSEC Tunnel) security associations (SA). Once the Phase 2 security associations have been set up, traffic travels on Phase 2 SA. Hence, it is possible that Phase 1 might be down, but traffic across the tunnel still works (because Phase 2 is up). The IKE light will turn red when Phase 1 times out. After a certain period, when Phase 2 is about to timeout, Phase 1 will re-negotiate the encryption key for subsequent Phase 2 negotiations. After these fresh negotiations, the IKE light will turn back to green and this process continues.
This behavior can be seen in the system logs:
System logs showing Phase 2 and Phase 1 renegotiating.
Description of above events:
21:44:04: Phase-1 SA timed out. At this point the IKE Gateway Status light will become red. Notice the Phase-1 renegotiations have not started right away.
21:45:38: At this point, Phase-2 SA is about to timeout. Hence, Phase-1 SA renegotiations started. IKE Gateway Status light turns back to green.
21:45:38: Subsequent Phase-2 renegotiations.
21:45:38: Previous Phase-2 SA expires and is deleted.
For more information on this situation, with more pics and a different explanation, please see: