Professional Documents
Culture Documents
Resolution
Symptom
There is site-to-site IPSec excessive rekeying on one tunnel on system logs, while other tunnels are not duplicating
this behavior.
Cause
1. Tunnel Monitoring is enabled while there is no IP address configured on the tunnel. Tunnel monitoring use
the tunnel IP address as source of tunnel monitoring ICMP packets.
2. Tunnel Monitoring is enabled while there is no corresponding Proxy-ID for the tunnel IP address and IP
address being monitored. For Access Control List (ACL) based IPSec VPN, Proxy-ID pair for the
corresponding tunnel IP address and IP address being monitored is needed.
Note: There is no need for Proxy-ID for tunnel to tunnel IP Address Tunnel Monitoring between Palo Alto
Networks firewall.
3. It is possible this is not an issue and that Palo Alto Networks firewall is just logging normal rekey for multiple
tunnels. This is true if rekey interval is very short and there are multiple Proxy-ID pairs.
To verify on the Palo Alto Networks firewall use the following CLI commands:
Details
For issue 1: Configure an allocated IP address on the IPSec tunnel, or disable tunnel monitoring if not needed.
For issue 2: Configure Proxy-ID for corresponding tunnel IP address and IP address being monitored, or disable
tunnel monitoring if not needed.
For issue 3: Check rekey interval on IKE Phase1 and IKE Phase2.
<output cut>
To verify, pick the SPI from the tunnel that exhibiting frequent rekey, use match by PEER-VPN-IP-ADDRESS.
2014/02/24 13:43:04 info vpn TUN-1 ipsec-k 0 IPSec key installed. Installed
SA: 2.2.2.2[500]-1.1.1.1[500] SPI:0xDBE7425F/0xC3D97F6B lifetime 300 Sec lifesize
128000 KB.
Using the following command, choose only logs related to the SPI:
Start: 13:43:04
End: 13:46:40
Resolution
Approximately, rekey every 3 mins+ for every tunnel will create what appears to be that excessive rekey is normal.
Increase the rekey value to balance or suit requirements.