We have a s2s VPN between a Cisco ASR and a Palo alto firewall . Every hour the tunnel interface on the ASR flaps, and this matches up with Palo logs showing re-key events.
I always get in a pickle with phase 1 Vs phase 2 timers, and what needs to match etc.
Palo Von is setup with 28800seconds on Ike crypto and IPsec proposal. I haven't specified timers on the Cisco, so I think phase 2 defaults to 3600sec I believe?
I changed the timers on Palo to match 3600sec but vpn tunnel interface still keeps flapping.
Anyone able to offer advice?
No comments:
Post a Comment