Knowledge Base Article

IPSec with Azure Gateway

Packet Loss with Azure IPSec Gateway?

Issue:Intermittent IPSec disconnects; Packet loss; TLSi disabled.

Symptoms:

  • Timeline shows 'unable to decrypt' packets intermittently
  • CMA events show TLS Inspection disabled subsequently
  • Session with a server / host behind IPSec Azure gateway lost.
  • IPSec Timeline shows following in the logs
Unable to decrypt packet - ignoring
Error parsing or unsupported parameters in an incoming packet

Environment:

  • IKEv2 tunnel with Azure Gateway
  • GCM algorithm used in the phase1 cipher-suite 
  • Rekey / Security association timers are configured such that Azure is the initiator for rekeying. (i.e. Azure timer <= Cato timer). For IKE Phase1 Cato default is 19800 Sec i.e. 5.5 hrs. Azure default is 8 hrs/

The larger picture - While using GCM and IKE timers set to default / matching values  [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel.  Cato  receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA.

Solution:

-Whenever you see similar symptom recommendation is to set P1 lifetime on Cato to default vale of 19800sec (5.5 hrs). This will make it lower than Azure default of 28800 sec (8 hrs) and ensure that Cato is always the initiator of tunnel for P1 rekey.

-Another workaround - This issue is specific to GCM based algorithm. Instead of using GCM, use CBC based cipher-suite for IKEv2 Phase I / Init Message Parameters.

IKEv2 Phase 1 - Init Messages

 

Cato maintains its own IPSec suite built from scratch based on RFE standards. Cato has been deployed as a gateway peering with many different SDWAN vendors by some of our largest enterprise customers with 100+ sites across the globe. From lab tests by our experts it is confirmed that this behavior is same when Azure IPSec gateway is peering with Juniper SRX or Fortinet as a peer device. i.e the issue is not specific to Cato. 

Contributors: Special thanks to ngog​ for this finding bug and reviewing the article for corrections.

Reference articles-

  1. Did you know? - IPSEC Timelines and PCAP | Cato Connect 
  2. https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site
  3. https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites
  4. https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 
  5. https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting
  6. https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-Connectivity
Updated 9 days ago
Version 10.0
activation
Best Practices
deployment
sase
No CommentsBe the first to comment