SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



IKEv2 tunnels stop passing traffic

This thread has been viewed 10 times
  • 1.  IKEv2 tunnels stop passing traffic

    Posted 07-26-2022 17:16
    Hello all,

    We have a mix of roughly three hundred or so SRX100/110 and SRX300 devices in the field connecting to a Palo Alto Networks PA-820 using IKEv2. The dynamic tunnels come up just fine initially, but a handful of shops randomly stop passing traffic even though the tunnel seems to remain up. If I run a "restart ipsec-key-management" then the tunnel starts passing traffic again for another day or so. I was able to pull logs during the time the tunnel went down.

    These devices also connect to two other data centers via IKEv1. Those connections are solid. The easy solution might be to just move IKEv2 to IKEv1, but I'd rather avoid that if there is another solution. Has anyone run into this before?

    I have confirmed on the Palo Alto side that the lifetime timers are also 28800 and 3600.

    [Jul 26 18:39:57]ikev2_xmit_error: [e66400/ef4c00] Transmit error
    [Jul 26 18:39:57]IPSec negotiation failed for SA-CFG caab02_vpn for local:192.168.1.114, remote:x.x.x.x IKEv2. status: Timed out
    [Jul 26 18:39:57] P2 ed info: flags 0x882, P2 error: Error ok
    [Jul 26 18:39:57]IKE SA delete called for p1 sa 892819 (ref cnt 1) local:192.168.1.114, remote:x.x.x.x, IKEv2
    [Jul 26 18:39:57]Freeing all P2 SAs for IKEv2 p1 SA 892819
    [Jul 26 18:39:57]Deleted (spi=0x855c4eb7, protocol=ESP dst=192.168.1.114) entry from the peer hash table. Reason: P1 SA deleted
    [Jul 26 18:39:57]NHTB entry not found. Not deleting NHTB entry
    [Jul 26 18:39:57]In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131075;SPI-In = 0x855c4eb7
    [Jul 26 18:39:57]Deleted SA pair for tunnel = 131075 with SPI-In = 0x855c4eb7 to kernel
    [Jul 26 18:39:57]Deleted (spi=0x855c4eb7, protocol=ESP) entry from the inbound sa spi hash table
    [Jul 26 18:39:57]Deleted (spi=0xa7aa365a, protocol=ESP dst=x.x.x.x) entry from the peer hash table. Reason: P1 SA deleted
    [Jul 26 18:40:27]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:192.168.1.114 remote:x.x.x.x IKEv2 for P1 SA 892820
    [Jul 26 18:40:27]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:192.168.1.114 remote:x.x.x.x IKEv2 for P1 SA 892820
    [Jul 26 18:40:27]ikev2_decode_packet: [e8e400/ef4c00] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
    [Jul 26 18:40:27]ikev2_packet_allocate: Allocated packet e92000 from freelist
    [Jul 26 18:40:27]Construction NHTB payload for  local:192.168.1.114, remote:x.x.x.x IKEv2 P1 SA index 892820 sa-cfg caab02_vpn
    [Jul 26 18:40:27]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg caab02_vpn, p1_sa=892820
    [Jul 26 18:40:27]ikev2_packet_allocate: Allocated packet e94000 from freelist
    [Jul 26 18:40:27]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload ESP TFC padding not supported from local:192.168.1.114 remote:x.x.x.x IKEv2 for P1 SA 892820
    [Jul 26 18:40:27]ikev2_decode_packet: [e94000/ef4c00] Received packet: HDR, IDr, AUTH, N(ESP_TFC_PADDING_NOT_SUPPORTED), SA, TSi, TSr
    [Jul 26 18:40:27]iked_pm_ipsec_sa_install: local:192.168.1.114, remote:x.x.x.x  IKEv2 for SA-CFG caab02_vpn
    [Jul 26 18:40:27]iked_pm_ipsec_sa_create: encr key len 32, auth key len: 32, salt len: 0
    [Jul 26 18:40:27]Added (spi=0x67ac67cd, protocol=ESP dst=192.168.1.114) entry to the peer hash table
    [Jul 26 18:40:27]Added (spi=0x8ee09ca4, protocol=ESP dst=x.x.x.x) entry to the peer hash table
    [Jul 26 18:40:27]Hardlife timer started for inbound caab02_vpn with 3600 seconds/0 kilobytes
    [Jul 26 18:40:27]Softlife timer started for inbound caab02_vpn with 2973 seconds/0 kilobytes
    [Jul 26 18:40:27]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131075;SPI-In = 0x67ac67cd
    [Jul 26 18:40:27]Added dependency on SA config blob with tunnelid = 131075
    [Jul 26 18:40:27]Successfully added ipsec SA PAIR
    [Jul 26 18:40:27]iked_pm_ike_sa_done: local:192.168.1.114, remote:x.x.x.x IKEv2
    [Jul 26 18:40:27]IKE negotiation done for local:192.168.1.114, remote:x.x.x.x IKEv2 with status: Error ok
    [Jul 26 18:40:27]IPSec  negotiation done successfully for SA-CFG caab02_vpn for local:192.168.1.114, remote:x.x.x.x  IKEv2

    proposal aes256_p1 {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
    }

    policy caab02_p1_pol {
    mode aggressive;
    proposals aes256_p1;
    pre-shared-key ascii-text "blahblahblahblahblah"; ## SECRET-DATA
    }

    gateway caab02_gw {
    ike-policy caab02_p1_pol;
    address x.x.x.x;
    local-identity user-at-hostname "123@shop.com";
    external-interface ge-0/0/0.0;
    version v2-only;
    }

    proposal aes256_p2 {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
    }

    policy caab02_p2_pol {
    perfect-forward-secrecy {
    keys group5;
    }
    proposals aes256_p2;
    }

    vpn caab02 {
    bind-interface st0.1;
    ike {
    gateway caab02_gw;
    ipsec-policy caab02_p2_pol;
    }
    establish-tunnels immediately;
    }