Palo Alto Networks Knowledgebase: Flapping IPSec Tunnel

Flapping IPSec Tunnel

Created On 02/07/19 23:37 PM - Last Updated 02/07/19 23:37 PM

ISSUE: IPsec tunnel is not flapping or IPsec tunnel is up but not passing traffic.


CAUSE: One of the reasons for the tunnel flapping or not passing traffic is if the SPI number is not stable. A software bug may be the issue, lifetime for phase 1 and phase 2 are not the same so rekey is happening. Proxy ID are mismatching so rekey is happening frequently.


A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. SPI is arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound. The SPI is provided to map the incoming packet to an SA at the destination.


The SPI number can be checked on the firewall with the following command:

show vpn ipsec-sa


The SPI number should remain stable until a tunnel renegotiates. If this number is changing, then the tunnel will not be stable.


EXAMPLE: In both screenshots, the SPI number is changing.






  • Check the lifetime of phase1 and phase2 -- the time should be the same.
  • Check if the proxy ID are matching or not.
  • The issue could be because of a software bug.

  • Print
  • Copy Link

Choose Language