IPSEC tunnel is flapping

62289
Created On 09/26/18 21:06 PM - Last Modified 08/15/23 06:19 AM
VPNS
PAN-OS

Symptom

 An IPSEC tunnel is flapping consistently.

 This can cause occasional packet drops or unstable network communication.

Environment

 Palo Alto Strata Firewall (Any PanOS)

 Prisma Access for Networks
 Prisma Access service connection.

Cause

 One of the reasons for the tunnel flapping or not passing traffic is if the SPI number is not stable.
 This could be caused by a mismatch in the IKE/IPSEC configuration due to which the tunnel would rekey
multiple times
A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP
Destination Address, and a security protocol (AH or ESP) identifier. SPI is arbitrary 32-bit value that is used by a
receiver to identify the SA to which an incoming packet should be bound. The SPI is provided to map the incoming
packet to an SA at the destination.
 The SPI number should remain stable until a tunnel renegotiates. If this number is changing, then the tunnel
will not be stable.

Resolution

EXAMPLE: In both screenshots, the SPI number is changing.

1. Check the lifetime of phase1 and phase2 -- the time values should match with that of peer device for the
respective IKE or IPSEC crypto profiles.
2. Check if the proxy ID are matching or not. Check this article for more details on proxy ID.
3. Collect the tech support report from the firewall at the time of issue so the logs can be analysed later. (For
Prisma Access, Collect the logs from on prem device and reach out to support teams with details about
issue for log collection on Prisma Access side.
4. Check ikemgr.logs at the time of issue to get more details.
5. If tunnel monitoring is turned on on either side or the VPN endpoints, Ensure there are security rules to allow
that communication.