ipsec tunnel to AWS VPN gateway times out occasionally during phase 1 negotiation
28593
Created On 01/14/20 22:36 PM - Last Modified 07/20/20 23:54 PM
Symptom
PA-vm's ipsec tunnel to AWS VPN gateway times out occasionally during phase I negotiation. Firewall sees the traffic in traffic log with action as Allow but session-end reason as aged-out. Packet capture verifies no response from the peer.
Environment
- Palo Alto platform: AWS PA-VM.
- PAN-OS version: All.
- Plugin version: All.
Cause
- AWS Network Security Group (NSG) and Network ACL are not updated to include the AWS VPN gateway peers. Ike lifetime is usually configured the same on both Palo Alto VM (PA-VM) Firewall and AWS, Because both PA-VM and AWS are configured as initiators, either side can initiate the phase I rekey.
- AWS VPC outbound NSG and ACL are allow-all by default so renegotiation works when PA-VM initiates the rekey.
- Inbound NSG and ACL are deny-all by default. Phase I negotiation times out when AWS initiates the rekey with below message in ikemgr.log
2019-12-19 14:17:51.103 +0000 [PNTF]: { 7: }: notification message 36136:R-U-THERE, doi=1 proto_id=1
spi=1963a1228518915a 71ac5dc98b71b305 (size=16).
====> Expired SA: 10.217.142.132[4500]-34.247.192.12[4500] SPI:0xF9AB7EC5/0x9D26C9A2 <====
2019-12-19 14:17:52.000 +0000 [PNTF]: { : 58}: ====> IPSEC KEY DELETED <====
====> Deleted SA: 10.217.142.132[4500]-34.247.192.12[4500] SPI:0xF9AB7EC5/0x9D26C9A2 <====
2019-12-19 14:17:52.000 +0000 [INFO]: { 5: 58}: SADB_DELETE proto=0 src=10.217.142.132[4500] dst=x.x.x.x[4500]
ESP spi=0xF9AB7EC5
2019-12-19 14:17:52.685 +0000 [PNTF]: { 3: }: notification message 36136:R-U-THERE, doi=1 proto_id=1
spi=20854a8f0f72a209 6e851aa1d55b0b90 (size=16).
2019-12-19 14:17:53.000 +0000 [PWRN]: { : 58}: phase-2 sa purge mismatch SPI:0x00000000/0x9D26C9A2.
2019-12-19 14:17:53.580 +0000 [PNTF]: { 10: }: notification message 36136:R-U-THERE, doi=1 proto_id=1
spi=3d180a75c320a0f1 1d6609f7f0f3b470 (size=16).
2019-12-19 14:17:55.004 +0000 [PNTF]: { 5: }: notification message 36136:R-U-THERE, doi=1 proto_id=1
spi=45a99b70d7e5e1c1 8bc1358fdf591ddd (size=16).
2019-12-19 14:17:55.214 +0000 [INFO]: { 18: 42}: IPsec-SA request for 34.247.103.214 queued since no
phase1 found
Resolution
- Checked the security rules applied to the NIC in AWS
- AWS console > VPC > Security Groups. Check Inbound Rules and Outbound Rules. Make sure IPsec tunnel peer IPs are listed.
- AWS console > VPC > Security > Network ACLs. Check Inbound Rules, Outbound Rules, Subnet Association
- Add the peer IPs in both outbound and inbound rules, and after issuing "test vpn" command from PA-VM CLI.
> test vpn ike-sa
Start time: Dec.04 00:03:37
Initiate 1 IKE SA.
> test vpn ipsec-sa
Start time: Dec.04 00:03:41
Initiate 1 IPSec SA.
The tunnel should come up on both phases in Web UI.