IP SEC VPN is dropping out fairly frequently between Palo Alto IPSec peers
19506
Created On 05/20/22 13:29 PM - Last Modified 06/08/23 07:32 AM
Symptom
When using IPSec IKEv2 between two Palo Alto firewalls, the tunnel can become down due to DPD if the following conditions are met:
- The first peer is using static IP with liveness check and NAT-Traversal is enabled
- The second peer is using dynamic IP (such as ADSL) with liveness check and NAT-Traversal is enabled. Additionally, the second peer works in passive mode.
The sequence of events causing the tunnel go down is as follows:
- The peer initiates (peer 1) liveness check when there is pocket loss
- Even the connection is restored after the first liveness check request, the peer 1 still continues liveness check until the tunnel goes down.
- When peer 1 marks the tunnel as down due to DPD, then peer 2 triggers the liveness check.
- This situation causes the tunnel go down for around 7-8 minutes, due to DPD waiting time intervals.
Environment
All hardware and VM platforms
Cause
When IKE sends a packet, it caches the packet in a retransmit function. If there is no reply, the retransmit function will send the cached packet again up to 10 times. This usually works fine, unless there is a NAT device between the FW and the peer device. As you know, NAT works by mapping a port to a destination IP. But if the NAT mapping changes during a retransmit, the retransmit function does not know about this change and will keep using the old port/IP mapping in the cache, which causes the problem.
Resolution
In order to overcome the situation liveness check should be disabled on one of the peers (Preferably peer with Dynamic IP).