IPSEC connection between Palo Alto firewall and WSS
Users can browse internet after authenticating without issues when tunnel established, but after a period of time all internet access fails through tunnel
Administrator noticed that IPSec VPN connection is going down after roughly 60 minutes and remains down
IPSEC tunnel can only be re-established after clearing the IKE-SA on Palo Alto firewall
Palo Alto System log message at time of error show
IPSec key lifetime expired. Expired SA: XX.XX.XX.XX[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IPSec key deleted. Deleted SA: XX.XX.XX.XX[[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IKEv2 IPSec SA delete message received from peer. Protocol ESP, Num of SPI: 1.
IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: XX.XX.XX.XX[[500]-148.64.11.164[500] mes
sage id:0x00000004. Error code 19
Cannot find compatible Diffie-Hellman group, info required to exchange matching shared secret keys
Changed the Diffie-Hellman group proposal setting from DH20 to one from supported list below
When the problem occured, the logs on the WSS side confirmed a compatibility issue with DH proposals as shown below:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> candidate "PskSite_3622_479745_xx.xx.xx.xx_0" with prio 10+10
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp/http]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> candidate "PskSite_3622_479745_xx.xx.xx.xx_80" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp/https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> candidate "PskSite_3622_479745_xx.xx.xx.xx_443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp/webcache]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> candidate "PskSite_3622_479745_xx.xx.xx.xx_8080" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp/pcsync-https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> 0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> candidate "PskSite_3622_479745_xx.xx.xx.xx_8443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> found matching child config "PskSite_3622_479745_xx.xx.xx.xx_0" with prio 20
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> no acceptable DIFFIE_HELLMAN_GROUP found
Nov 19 15:41:36 03[WSS] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> CHILD_SA no matching proposal found, received-proposals='ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ', configured-proposals='ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/NULL/AES_CTR_128/AES_CTR_192/AES_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NULL_AES_GMAC_128/NULL_AES_GMAC_192/NULL_AES_GMAC_256/BLOWFISH_CBC_128/BLOWFISH_CBC_192/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_128_GMAC/AES_192_GMAC/AES_256_GMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256/NO_EXT_SEQ'
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> no acceptable proposal found
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> failed to establish CHILD_SA, keeping IKE_SA
Nov 19 15:41:36 03[CHD] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> CHILD_SA PskSite_3622_479745_xx.xx.xx.xx_0{0} state change: CREATED => DESTROYING
Nov 19 15:41:36 03[ENC] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> generating CREATE_CHILD_SA response 70 [ N(NO_PROP) ]
Nov 19 15:41:36 03[NET] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> sending packet: from 192.168.2.5[500] to xx.xx.xx.xx[500] (80 bytes)
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> checkin IKE_SA PskSite_3622_479745_xx.xx.xx.xx_0[242328]
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_xx.xx.xx.xx_0|242328> check-in of IKE_SA successful.