Standard VPN Tunnels flapping on ION devices

Standard VPN Tunnels flapping on ION devices

2730
Created On 01/31/23 05:12 AM - Last Modified 05/22/25 21:54 PM


Symptom


  • Standard VPN (3rd party VPN) tunnels keep flapping.
  • During an IKE rekey session,  multiple_ike_session event are created  causing  the standard VPNs to flap.
  • Interface down status under "Alarms" display "multiple_ike_session" and reason as "down"

  • The above information can be confirmed in the CLI as well
debug logs dump tunnelmgr | grep "yyyy-mm-dd"
14:01:54.872 inf tunnelmgr  4430   tunnelmgr             SetServiceLinkStatus sl:sl1, state:{extended_state:multiple_ike_session, local_ip:64.129.x.x, remote_ip:4.x.x.x, state:down}
14:02:33.872 inf tunnelmgr  4430   tunnelmgr             SetServiceLinkStatus sl:sl1, state:{extended_state:multiple_ike_session, local_ip:64.129.x.x, remote_ip:4.x.x.x, state:down}
  • The following command display e "Extended State : multiple_ike_session"
dump servicelink summary all
dump interface status <interface>
dump servicelink summary slname=<name of the tunnel>

 

Environment


  • Prisma SD-WAN
  • ION devices
  • VPN

Cause


  • Both ends of the VPN tunnels are in active mode.
  • The active mode is enabled on the other side of the tunnel interface as well.

Resolution


  1. While building a IPSec tunnel, Enable passive mode on the other side of the tunnel interface.
  2. The endpoint should be configured as passive/responder only.
  3. Change the mode from active to passive on the remote end (i.e on the vendor) for the tunnels to come up.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saibCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language