Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThomasGbK
New Contributor

Re-Auth when HA Resync

We have an tunnel up with a Palo Alto on the other end. Tunnel comes up and stays up fine, however, when our cluster does a HA resync every 15 minutes the tunnel re-authenticates instead of just re-keying. Any ideas as to why that happens? Seems like PFS is not negotiated even though it is enabled on both ends, or is that just the nature of using AES256GCM in P2?

 

We are on 6.2.5.

 

Remote GW IP: X.X.X.X
Local GW IP: Y.Y.Y.Y
#############
# Phase 1
#############
name : CONFIG-NAME
type : static
interface : WAN-01
ip-version : 4
ike-version : 2
local-gw : 0.0.0.0
keylife : 28800
authmethod : psk
authmethod-remote :
peertype : any
net-device : disable
passive-mode : disable
exchange-interface-ip: disable
aggregate-member : disable
mode-cfg : disable
proposal : aes256-sha256
localid :
localid-type : auto
auto-negotiate : enable
negotiate-timeout : 15
fragmentation : enable
ip-fragmentation : post-encapsulation
dpd : disable
forticlient-enforcement: disable
comments : VPN: CONFIG-NAME
npu-offload : enable
dhgrp : 19
suite-b : disable
eap : disable
ppk : disable
wizard-type : custom
reauth : disable
idle-timeout : disable
ha-sync-esp-seqno : enable
auto-discovery-sender: disable
auto-discovery-receiver: disable
auto-discovery-forwarder: disable
encapsulation : none
nattraversal : enable
fragmentation-mtu : 1200
childless-ike : disable
rekey : enable
network-overlay : disable
remote-gw : X.X.X.X
monitor :
tunnel-search : selectors
add-gw-route : disable
psksecret : *
keepalive : 10
#############
# Phase 2
#############
name : CONFIG-NAME
phase1name : CONFIG-NAME
proposal : aes256gcm
pfs : enable
ipv4-df : disable
dhgrp : 19
replay : enable
keepalive : disable
auto-negotiate : disable
auto-discovery-sender: phase1
auto-discovery-forwarder: phase1
keylife-type : seconds
encapsulation : tunnel-mode
comments : VPN: CONFIG-NAME
10.10.40.0/21
10.103.29.32/28
protocol : 0
src-addr-type : subnet
src-port : 0
dst-addr-type : subnet
dst-port : 0
keylifeseconds : 28800
src-subnet : 10.10.40.0 255.255.248.0
dst-subnet : 10.103.29.32 255.255.255.240
#############
# Log
#############
2020-12-21 15:24:43.428254 ike HA resync start
2020-12-21 15:24:43.428343 ike HA resync finish
2020-12-21 15:24:43.442707 ike 2:CONFIG-NAME: HA IKE add conn
2020-12-21 15:24:43.442725 ike 2:CONFIG-NAME: HA add IKE SA 5ca8e112ce8a5772/bc962ce742a4be14
2020-12-21 15:24:43.442733 ike 2:CONFIG-NAME:942572: HA add IKE SA ignored, already exists
2020-12-21 15:24:43.442742 ike 2:CONFIG-NAME:CONFIG-NAME: HA add IPsec SA c0e4216f/eae37180 seq 8f0d1801 26
2020-12-21 15:24:43.442751 ike 2:CONFIG-NAME:CONFIG-NAME: src 0 4 0:10.10.40.0/255.255.248.0:0
2020-12-21 15:24:43.442759 ike 2:CONFIG-NAME:CONFIG-NAME: dst 0 4 0:10.103.29.32/255.255.255.240:0
<snip>
2020-12-21 15:24:53.304423 ike 2:CONFIG-NAME: NAT keep-alive 55 Y.Y.Y.Y->X.X.X.X:4500.
2020-12-21 15:24:53.304460 ike 2:CONFIG-NAME:942572: only have HA IKE SA, first negotiate new IKE SA
2020-12-21 15:24:53.304530 ike 2:CONFIG-NAME:CONFIG-NAME: chosen to populate IKE_SA traffic-selectors
2020-12-21 15:24:53.304547 ike 2:CONFIG-NAME: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
2020-12-21 15:24:53.304661 ike 2:CONFIG-NAME:942765: out AAC295564E07D6A000000000000000002120220800000000000000F8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C00000008040000132800004800130000E8813BB3C318E35E492D8F348E078971297B4E4DBD96D754F073CDABF19270FEB271215CA377C445CD29818C79E37B97BFA94666F94D267E3AE93C74BADD0C75290000242341415E2FFA1BECAEF6B423475CE2DD6D6CC77789DC4387B8A6AD19F7D7AF492900001C00004004C25BBEB43A74511A03E9816607A4775D43A42B6A2900001C00004005F035E867AFB60BBEDD6881206CCFB85057F95905000000080000402E
2020-12-21 15:24:53.304688 ike 2:CONFIG-NAME:942765: sent IKE msg (SA_INIT): Y.Y.Y.Y:4500->X.X.X.X:4500, len=248, id=aac295564e07d6a0/0000000000000000
2020-12-21 15:24:53.328364 ike 2: comes X.X.X.X:4500->Y.Y.Y.Y:4500,ifindex=55....
2020-12-21 15:24:53.328382 ike 2: IKEv2 exchange=SA_INIT_RESPONSE id=aac295564e07d6a0/5a285f1a7bba9a29 len=240
2020-12-21 15:24:53.328390 ike 2: in AAC295564E07D6A05A285F1A7BBA9A292120222000000000000000F0220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C00000008040000132800004800130000294BE54759C0305E232ECFDD9A7D4B7B8F1A3109B4E011777FF95DE3DE5C8E0FB7EF0E469686118DFAF11432375958D68BE3CDCFA41546B3FE85F1A47FAE1DEF2900002431B7B459043258C702702951B26BE9C68BA93D50F6EC56D2AAB04AD02BB4029F2900001C000040040E250E950A81971F11679C98826A83A0CE56EE1E0000001C0000400598D895565B9CBEB2340A0FA2529E412A6D07BAFD
2020-12-21 15:24:53.328403 ike 2:CONFIG-NAME:942765: initiator received SA_INIT response
2020-12-21 15:24:53.328411 ike 2:CONFIG-NAME:942765: processing notify type NAT_DETECTION_SOURCE_IP
2020-12-21 15:24:53.328428 ike 2:CONFIG-NAME:942765: processing NAT-D payload
2020-12-21 15:24:53.328436 ike 2:CONFIG-NAME:942765: NAT detected: PEER
2020-12-21 15:24:53.328443 ike 2:CONFIG-NAME:942765: process NAT-D
2020-12-21 15:24:53.328450 ike 2:CONFIG-NAME:942765: processing notify type NAT_DETECTION_DESTINATION_IP
2020-12-21 15:24:53.328462 ike 2:CONFIG-NAME:942765: processing NAT-D payload
2020-12-21 15:24:53.328470 ike 2:CONFIG-NAME:942765: NAT detected: PEER
2020-12-21 15:24:53.328476 ike 2:CONFIG-NAME:942765: process NAT-D
2020-12-21 15:24:53.328484 ike 2:CONFIG-NAME:942765: incoming proposal:
2020-12-21 15:24:53.328491 ike 2:CONFIG-NAME:942765: proposal id = 1:
2020-12-21 15:24:53.328497 ike 2:CONFIG-NAME:942765: protocol = IKEv2:
2020-12-21 15:24:53.328503 ike 2:CONFIG-NAME:942765: encapsulation = IKEv2/none
2020-12-21 15:24:53.328509 ike 2:CONFIG-NAME:942765: type=ENCR, val=AES_CBC (key_len = 256)
2020-12-21 15:24:53.328516 ike 2:CONFIG-NAME:942765: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2020-12-21 15:24:53.328522 ike 2:CONFIG-NAME:942765: type=PRF, val=PRF_HMAC_SHA2_256
2020-12-21 15:24:53.328529 ike 2:CONFIG-NAME:942765: type=DH_GROUP, val=ECP256.
2020-12-21 15:24:53.328537 ike 2:CONFIG-NAME:942765: matched proposal id 1
2020-12-21 15:24:53.328543 ike 2:CONFIG-NAME:942765: proposal id = 1:
2020-12-21 15:24:53.328549 ike 2:CONFIG-NAME:942765: protocol = IKEv2:
2020-12-21 15:24:53.328555 ike 2:CONFIG-NAME:942765: encapsulation = IKEv2/none
2020-12-21 15:24:53.328562 ike 2:CONFIG-NAME:942765: type=ENCR, val=AES_CBC (key_len = 256)
2020-12-21 15:24:53.328568 ike 2:CONFIG-NAME:942765: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2020-12-21 15:24:53.328574 ike 2:CONFIG-NAME:942765: type=PRF, val=PRF_HMAC_SHA2_256
2020-12-21 15:24:53.328580 ike 2:CONFIG-NAME:942765: type=DH_GROUP, val=ECP256.
2020-12-21 15:24:53.328587 ike 2:CONFIG-NAME:942765: lifetime=28800
2020-12-21 15:24:53.328751 ike 2:CONFIG-NAME:942765: IKE SA aac295564e07d6a0/5a285f1a7bba9a29 SK_ei 32:476CBC9511C08F8D873CECC93371F09F5422D4FB87EFF4A51917BAE62D3C66B3
2020-12-21 15:24:53.328760 ike 2:CONFIG-NAME:942765: IKE SA aac295564e07d6a0/5a285f1a7bba9a29 SK_er 32:E1C9B9C789A174BC0C78789E4CA8FDF38D785621E927CD64579F3BC21C75821E
2020-12-21 15:24:53.328767 ike 2:CONFIG-NAME:942765: IKE SA aac295564e07d6a0/5a285f1a7bba9a29 SK_ai 32:B3B6696DDA4C429819C250C549DD084428B025FCDC630DD4A5AB768799230E2F
2020-12-21 15:24:53.328774 ike 2:CONFIG-NAME:942765: IKE SA aac295564e07d6a0/5a285f1a7bba9a29 SK_ar 32:3F5B46DF0631F5FFBF4A13BE8964BF6E84CEA02A61E57C50B4307F60427509E3
2020-12-21 15:24:53.328789 ike 2:CONFIG-NAME:942765: initiator preparing AUTH msg
2020-12-21 15:24:53.328808 ike 2:CONFIG-NAME:942765: enc 2700000C0100000050EFAF482900002802000000734C178CB9B0C6AD5EB3EC5A09D26689FB80073B5EC52D464766B58ED99135BE21000008000040242C0000240000002001030402C0E421CD0300000C01000014800E010000000008050000002D00001801000000070000100000FFFF0A0A28000A0A2FFF0000001801000000070000100000FFFF0A671D200A671D2F0F0E0D0C0B0A0908070605040302010F
2020-12-21 15:24:53.328822 ike 2:CONFIG-NAME:942765: detected NAT
2020-12-21 15:24:53.328828 ike 2:CONFIG-NAME:942765: NAT-T float port 4500
2020-12-21 15:24:53.328838 ike 2:CONFIG-NAME:942765: out AAC295564E07D6A05A285F1A7BBA9A292E20230800000001000000E0230000C4A81AE9F082B4CAB6364B27EEF4376A1310A96518F5EFFFCD7F12044D0D5FB46F73F6D2FCD39EFA331AB5E87B9ADAC827F14BAB8C9F3CBAB2D3133E42ECE17CBD55D024DE6F2D63C252C99BDCFC5E7AEE7C9F32E3653F9DFD9DA46C210B174B0D862FD156A5AA3AD57B8CDB9343F6B7B76DB49874C911354F39822277DAD7398F333530029ED8C9B45D38382F7BE5CBA2B05D6DCC57ADBC9CCE9990F714DA73B7C7EC197A1164EB9A9903C8277322EB314880D00F3DEE1F5DE0E91E7F95792EBE
2020-12-21 15:24:53.328855 ike 2:CONFIG-NAME:942765: sent IKE msg (AUTH): Y.Y.Y.Y:4500->X.X.X.X:4500, len=224, id=aac295564e07d6a0/5a285f1a7bba9a29:00000001
2020-12-21 15:24:53.352635 ike 2: comes X.X.X.X:4500->Y.Y.Y.Y:4500,ifindex=55....
2020-12-21 15:24:53.352650 ike 2: IKEv2 exchange=AUTH_RESPONSE id=aac295564e07d6a0/5a285f1a7bba9a29:00000001 len=224
2020-12-21 15:24:53.352656 ike 2: in AAC295564E07D6A05A285F1A7BBA9A292E20232000000001000000E0240000C4381A15E1D6327ECB0D5B5AF45D89803DC28D95854B18D5071DF3AAA31D688323FF297F41E9683E001FE12C12AACF1AFD32DA4F580C21C5C1E203CDB6F4D0020395987F66AA20A0E329CDE08B23275F92854F16ADA139A557B24CBCA6928CA2022F38C9067680925EF822A4D260577F1781B38CB2C9C49CF96A0D3C1240F79A858905762E9B59D7E9F67D176D03A7C546C1338C04496BA20E814A8CE4C4724401C47FCECEBAC91C3F6FB24787A9666F17C4684E25AC5928CD9A1891B939B4D8A0
2020-12-21 15:24:53.352682 ike 2:CONFIG-NAME:942765: dec AAC295564E07D6A05A285F1A7BBA9A292E20232000000001000000B0240000042700000C010000000A671D3D2900002802000000B687FEF91ED8173E311F514CDDEBF3BA7CFC1EEC39D77A522AA1A6B82FF28790210000080000400A2C0000240000002001030402DE64C6350300000C01000014800E010000000008050000002D00001801000000070000100000FFFF0A0A28000A0A2FFF0000001801000000070000100000FFFF0A671D200A671D2F
2020-12-21 15:24:53.352692 ike 2:CONFIG-NAME:942765: initiator received AUTH msg
2020-12-21 15:24:53.352698 ike 2:CONFIG-NAME:942765: peer identifier IPV4_ADDR 10.103.29.61
2020-12-21 15:24:53.352712 ike 2:CONFIG-NAME:942765: auth verify done
2020-12-21 15:24:53.352717 ike 2:CONFIG-NAME:942765: initiator AUTH continuation
2020-12-21 15:24:53.352722 ike 2:CONFIG-NAME:942765: authentication succeeded
2020-12-21 15:24:53.352727 ike 2:CONFIG-NAME:942765: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
2020-12-21 15:24:53.352744 ike 2:CONFIG-NAME:942765: established IKE SA aac295564e07d6a0/5a285f1a7bba9a29
2020-12-21 15:24:53.352766 ike 2:CONFIG-NAME: HA send IKE connection add Y.Y.Y.Y->X.X.X.X
2020-12-21 15:24:53.352778 ike 2:CONFIG-NAME:942765: HA send IKE SA add aac295564e07d6a0/5a285f1a7bba9a29
2020-12-21 15:24:53.352788 ike 2:CONFIG-NAME: schedule auto-negotiate
2020-12-21 15:24:53.352794 ike 2:CONFIG-NAME:942765: deleting HA IKEv2 SA 5ca8e112ce8a5772/bc962ce742a4be14
2020-12-21 15:24:53.352803 ike 2:CONFIG-NAME:942572: HA send IKE SA del 5ca8e112ce8a5772/bc962ce742a4be14
2020-12-21 15:24:53.352809 ike 2:CONFIG-NAME: deleting IPsec SA with SPI eae37180
2020-12-21 15:24:53.352821 ike 2:CONFIG-NAME:CONFIG-NAME: deleted IPsec SA with SPI eae37180, SA count: 0
2020-12-21 15:24:53.352831 ike 2:CONFIG-NAME: sending SNMP tunnel DOWN trap for CONFIG-NAME
2020-12-21 15:24:53.352884 ike 2:CONFIG-NAME:942572:1233793: send informational
2020-12-21 15:24:53.352895 ike 2:CONFIG-NAME:942572: enc 00000008010000000706050403020107
2020-12-21 15:24:53.352911 ike 2:CONFIG-NAME:942572: out 5CA8E112CE8A5772BC962CE742A4BE142E20250800000002000000502A000034F4A4DC36AAFD53445C17EE16094FF214462A9CE90C3E9DB585840F0BBD3D626A9BE87BF7EDBADDFCB9F22F09BE89A7F1
2020-12-21 15:24:53.352925 ike 2:CONFIG-NAME:942572: sent IKE msg (INFORMATIONAL): Y.Y.Y.Y:4500->X.X.X.X:4500, len=80, id=5ca8e112ce8a5772/bc962ce742a4be14:00000002
2020-12-21 15:24:53.352949 ike 2:CONFIG-NAME:942765:1233792: peer proposal:
2020-12-21 15:24:53.352958 ike 2:CONFIG-NAME:942765:1233792: TSr_0 0:10.103.29.32-10.103.29.47:0
2020-12-21 15:24:53.352965 ike 2:CONFIG-NAME:942765:1233792: TSi_0 0:10.10.40.0-10.10.47.255:0
2020-12-21 15:24:53.352970 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: comparing selectors
2020-12-21 15:24:53.352976 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: matched by rfc-rule-2
2020-12-21 15:24:53.352981 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: phase2 matched by subset
2020-12-21 15:24:53.352987 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: accepted proposal:
2020-12-21 15:24:53.352992 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: TSr_0 0:10.103.29.32-10.103.29.47:0
2020-12-21 15:24:53.352997 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: TSi_0 0:10.10.40.0-10.10.47.255:0
2020-12-21 15:24:53.353002 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: autokey
2020-12-21 15:24:53.353008 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: incoming child SA proposal:
2020-12-21 15:24:53.353013 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: proposal id = 1:
2020-12-21 15:24:53.353018 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: protocol = ESP:
2020-12-21 15:24:53.353023 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: encapsulation = TUNNEL
2020-12-21 15:24:53.353028 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: type=ENCR, val=AES_GCM_16 (key_len = 256)
2020-12-21 15:24:53.353033 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: type=ESN, val=NO
2020-12-21 15:24:53.353038 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: PFS is disabled
2020-12-21 15:24:53.353043 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: matched proposal id 1
2020-12-21 15:24:53.353048 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: proposal id = 1:
2020-12-21 15:24:53.353053 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: protocol = ESP:
2020-12-21 15:24:53.353057 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: encapsulation = TUNNEL
2020-12-21 15:24:53.353062 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: type=ENCR, val=AES_GCM_16 (key_len = 256)
2020-12-21 15:24:53.353067 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: type=INTEGR, val=AUTH_NONE
2020-12-21 15:24:53.353072 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: type=ESN, val=NO
2020-12-21 15:24:53.353077 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: PFS is disabled
2020-12-21 15:24:53.353081 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: lifetime=28800
2020-12-21 15:24:53.353095 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: replay protection enabled
2020-12-21 15:24:53.353101 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: set sa life soft seconds=28497.
2020-12-21 15:24:53.353106 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: set sa life hard seconds=28800.
2020-12-21 15:24:53.353119 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: IPsec SA selectors #src=1 #dst=1
2020-12-21 15:24:53.353127 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: src 0 7 0:10.10.40.0-10.10.47.255:0
2020-12-21 15:24:53.353134 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: dst 0 7 0:10.103.29.32-10.103.29.47:0
2020-12-21 15:24:53.353139 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: add IPsec SA: SPIs=c0e421cd/de64c635
2020-12-21 15:24:53.353144 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: IPsec SA dec spi c0e421cd key 36:260FB3AC5EDE526BD5A0C56C06B534ECE10F0AB2AB70C961AEA72D56668B0A134B8D47C3 auth 0:
2020-12-21 15:24:53.353150 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: IPsec SA enc spi de64c635 key 36:81968C0305BB2F41D852A2FB030450EACE0F39DD29817A2DA9890C8CE378FAFBEAB48329 auth 0:
2020-12-21 15:24:53.353166 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: added IPsec SA: SPIs=c0e421cd/de64c635
2020-12-21 15:24:53.353191 ike 2:CONFIG-NAME: HA send IKEv2 message ID update send/recv=2/0
2020-12-21 15:24:53.353198 ike 2:CONFIG-NAME:942765:CONFIG-NAME:1233792: sending SNMP tunnel UP trap
2020-12-21 15:24:53.375850 ike 2: comes X.X.X.X:4500->Y.Y.Y.Y:4500,ifindex=55....
2020-12-21 15:24:53.375869 ike 2: IKEv2 exchange=INFORMATIONAL_RESPONSE id=5ca8e112ce8a5772/bc962ce742a4be14:00000002 len=80
2020-12-21 15:24:53.375876 ike 2: in 5CA8E112CE8A5772BC962CE742A4BE142E2025200000000200000050000000342B38FF2817F3DFCF8A6CCB967394B9115CFE5B24F34AE556CD68EB757995EEBCBCF7FA3324254D8611966A096B9AE950
2020-12-21 15:25:03.374434 ike 2:CONFIG-NAME: NAT keep-alive 55 Y.Y.Y.Y->X.X.X.X:4500.
2020-12-21 15:25:03.374461 ike 2:CONFIG-NAME:942765: out FF
2020-12-21 15:25:03.374476 ike 2:CONFIG-NAME:942765: sent IKE msg (keepalive): Y.Y.Y.Y:4500->X.X.X.X:4500, len=1, id=ff00000000000000/0000000000000000
2
I have a ticket open with Fortinet but it just doesn't get any traction.

 
0 REPLIES 0
Labels
Top Kudoed Authors