IPSec VPN connection is going down after approximately 60 minutes and cannot be re-established until IKE-SAs cleared on VPN Firewall
search cancel

IPSec VPN connection is going down after approximately 60 minutes and cannot be re-established until IKE-SAs cleared on VPN Firewall

book

Article ID: 229459

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

IPSEC connection between Palo Alto firewall and WSS

Users can browse internet after authenticating without issues when tunnel established, but after a period of time all internet access fails through tunnel

Administrator noticed that IPSec VPN connection is going down after roughly 60 minutes and remains down

IPSEC tunnel can only be re-established after clearing the IKE-SA on Palo Alto firewall

Palo Alto System log message at time of error show

IPSec key lifetime expired. Expired SA: XX.XX.XX.XX[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IPSec key deleted. Deleted SA: XX.XX.XX.XX[[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IKEv2 IPSec SA delete message received from peer. Protocol ESP, Num of SPI: 1.
IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: XX.XX.XX.XX[[500]-148.64.11.164[500] mes
sage id:0x00000004. Error code 19

 

Environment

  • IPSEC connection into Cloud SWG
  • VPN gateway (Palo Alto)
  • Phase 1 Protocol: IKEv2
  • Phase 1 Proposals: [PSK][DH20][AES256][SHA256]28800-sec
  • Phase 2 Proposals: ESP tunnel [DH20][AES256][SHA256] 3600-sec 0-kb

Cause

Cannot find compatible Diffie-Hellman group, info required to exchange matching shared secret keys

Resolution

Changed the Diffie-Hellman group proposal setting from DH20 to one from supported list below

Additional Information

When the problem occured, the logs on the WSS side confirmed a compatibility issue with DH proposals as shown below:

Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   candidate "PskSite_3622_479745_xx.xx.xx.xx_0" with prio 10+10
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp/http]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   candidate "PskSite_3622_479745_xx.xx.xx.xx_80" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp/https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   candidate "PskSite_3622_479745_xx.xx.xx.xx_443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp/webcache]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   candidate "PskSite_3622_479745_xx.xx.xx.xx_8080" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp/pcsync-https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   candidate "PskSite_3622_479745_xx.xx.xx.xx_8443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> found matching child config "PskSite_3622_479745_xx.xx.xx.xx_0" with prio 20
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328>   no acceptable DIFFIE_HELLMAN_GROUP found
Nov 19 15:41:36 03[WSS] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> CHILD_SA no matching proposal found, received-proposals='ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ', configured-proposals='ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/NULL/AES_CTR_128/AES_CTR_192/AES_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NULL_AES_GMAC_128/NULL_AES_GMAC_192/NULL_AES_GMAC_256/BLOWFISH_CBC_128/BLOWFISH_CBC_192/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_128_GMAC/AES_192_GMAC/AES_256_GMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256/NO_EXT_SEQ'
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> no acceptable proposal found
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> failed to establish CHILD_SA, keeping IKE_SA
Nov 19 15:41:36 03[CHD] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> CHILD_SA PskSite_3622_479745_xx.xx.xx.xx_0{0} state change: CREATED => DESTROYING
Nov 19 15:41:36 03[ENC] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> generating CREATE_CHILD_SA response 70 [ N(NO_PROP) ]
Nov 19 15:41:36 03[NET] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> sending packet: from 192.168.2.5[500] to xx.xx.xx.xx[500] (80 bytes)
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> checkin IKE_SA PskSite_3622_479745_xx.xx.xx.xx_0[242328]
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> check-in of IKE_SA successful.
Powered by Wolken Software