search cancel

IPSec VPN connection is going down after approximately 60 minutes and cannot be re-established until IKE-SAs cleared on VPN Firewall

book

Article ID: 229459

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

IPSEC connection between Palo Alto firewall and WSS

Users can browse internet after authenticating without issues when tunnel established, but after a period of time all internet access fails through tunnel

Administrator noticed that IPSec VPN connection is going down after roughly 60 minutes and remains down

IPSEC tunnel can only be re-established after clearing the IKE-SA on Palo Alto firewall

Palo Alto System log message at time of error show

IPSec key lifetime expired. Expired SA: 13.47.96.117[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IPSec key deleted. Deleted SA: 13.47.96.117[[500]-148.64.11.164[500] SPI:0xB06CEF02/0xC22D8BD6.
IKEv2 IPSec SA delete message received from peer. Protocol ESP, Num of SPI: 1.
IKEv2 child SA negotiation is failed as initiator, non-rekey. Failed SA: 13.47.96.117[[500]-148.64.11.164[500] mes
sage id:0x00000004. Error code 19

 

Cause

Cannot find compatible Diffie-Hellman group, info required to exchange matching shared secret keys

Environment

IPSEC connection into WSS

VPN gateway (Palo Alto)


Phase 1 Protocol: IKEv2
Phase 1 Proposals: [PSK][DH20][AES256][SHA256]28800-sec
Phase 2 Proposals: ESP tunl [DH20][AES256][SHA256] 3600-sec 0-kb

Resolution

Changed the Diffie-Hellman group proposal setting from DH20 to one from supported list below

Additional Information

When problem occured, the logs on WSS side confirmed a compatibility issue with DH proposals as shown below:

 

Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   candidate "PskSite_3622_479745_13.47.96.117_0" with prio 10+10
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp/http]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   candidate "PskSite_3622_479745_13.47.96.117_80" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp/https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   candidate "PskSite_3622_479745_13.47.96.117_443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp/webcache]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   candidate "PskSite_3622_479745_13.47.96.117_8080" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for us:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp/pcsync-https]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> proposing traffic selectors for other:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>  0.0.0.0/0[tcp]
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   candidate "PskSite_3622_479745_13.47.96.117_8443" with prio 2+2
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> found matching child config "PskSite_3622_479745_13.47.96.117_0" with prio 20
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   no acceptable ENCRYPTION_ALGORITHM found
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328> selecting proposal:
Nov 19 15:41:36 03[CFG] <PskSite_3622_479745_13.47.96.117_0|242328>   no acceptable DIFFIE_HELLMAN_GROUP found
Nov 19 15:41:36 03[WSS] <PskSite_3622_479745_13.47.96.117_0|242328> CHILD_SA no matching proposal found, received-proposals='ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ', configured-proposals='ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/NULL/AES_CTR_128/AES_CTR_192/AES_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NULL_AES_GMAC_128/NULL_AES_GMAC_192/NULL_AES_GMAC_256/BLOWFISH_CBC_128/BLOWFISH_CBC_192/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_128_GMAC/AES_192_GMAC/AES_256_GMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256/NO_EXT_SEQ'
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_13.47.96.117_0|242328> no acceptable proposal found
Nov 19 15:41:36 03[IKE] <PskSite_3622_479745_13.47.96.117_0|242328> failed to establish CHILD_SA, keeping IKE_SA
Nov 19 15:41:36 03[CHD] <PskSite_3622_479745_13.47.96.117_0|242328> CHILD_SA PskSite_3622_479745_13.47.96.117_0{0} state change: CREATED => DESTROYING
Nov 19 15:41:36 03[ENC] <PskSite_3622_479745_13.47.96.117_0|242328> generating CREATE_CHILD_SA response 70 [ N(NO_PROP) ]
Nov 19 15:41:36 03[NET] <PskSite_3622_479745_13.47.96.117_0|242328> sending packet: from 192.168.2.5[500] to 13.47.96.117[500] (80 bytes)
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_13.47.96.117_0|242328> checkin IKE_SA PskSite_3622_479745_13.47.96.117_0[242328]
Nov 19 15:41:36 03[MGR] <PskSite_3622_479745_13.47.96.117_0|242328> check-in of IKE_SA successful.

 

Attachments