Issue
A Cisco ASA router initiates an IPSEC VPN tunnel to a Palo Alto Networks firewall. The tunnel drops and the Palo Alto tries to re-initiate and fails. If the ASA initiates the tunnel, traffic will pass.
Resolution
By default the Cisco ASA router will terminate an idle session, regardless of the re-key timer on the tunnel. A tear down message may or may not be sent to the receiving host, in this case a Palo Alto Networks firewall. If the VPN tunnel is initiated by the Cisco device after the timeout, it will create a new tunnel and traffic will pass without issue. Traffic initiated from the firewall will continue to use the existing tunnel info and will fail to pass traffic. The firewall will need to tear down the existing tunnel and start a new one in order for traffic to flow. Disabling the default settings on the Cisco ASA will allow the re-key timer on the firewall to work as it should.
The default timeout settings on the Cisco ASA are:
ciscoasa# show run all group-policy | i vpn vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none ipv6-vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn
To disable the timeout setting:
config group-policy DfltGrpPolicy attributes vpn-idle-timeout none
Sample of Cisco logs showing the session teardown:
5|Nov 10 2010 10:11:37|713259: Group = 10.30.14.175, IP = 10.30.14.175, Session is being torn down. Reason: Idle Timeout 4|Nov 10 2010 10:11:37|113019: Group = 10.30.14.175, Username = 10.30.14.175, IP = 10.30.14.175, Session disconnected. Session Type: IPsec, Duration: 2h:42m:12s, Bytes xmt: 3543514, Bytes rcv: 283384, Reason: Idle Timeout 5|Nov 10 2010 10:11:37|713050: Group = 10.30.14.175, IP = 10.30.14.175, Connection terminated for peer 10.30.14.175. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.21.0, Local Proxy 192.168.110.0 6|Nov 10 2010 10:11:37|602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC7F14BA1) between 10.30.14.177 and 10.30.14.175 (user= 10.30.14.175) has been deleted. 6|Nov 10 2010 10:11:37|602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAE9D0F19) between 10.30.14.177 and 10.30.14.175 (user= 10.30.14.175) has been deleted. 6|Nov 10 2010 10:13:37|302016: Teardown UDP connection 2503 for outside:10.30.14.175/500 to identity:10.30.14.177/500 duration 1:20:55 bytes 25848 6|Nov 10 2010 10:20:54|302010: 1 in use, 44 most used 6|Nov 10 2010 10:30:58|302010: 1 in use, 44 most used 6|Nov 10 2010 10:41:01|302010: 1 in use, 44 most used 6|Nov 10 2010 10:41:27|302014: Teardown TCP connection 2494 for outside:192.168.21.201/55144 to inside:192.168.110.100/3389 duration 2:19:50 bytes 73571 Connection timeout