No DPD message while peer tunnel is down

tusharbanik — Tue, 14 Mar 2023 20:07:51 GMT

Problems with IPSEC VPN tunnel between PAN FW PLWALFWxx and the BlueCoat datacenters (Amsterdam, Frankfurt)
DPD does not seem to work.
Extra Information:

PLWALFW = PANOS 10.2.2.h2

INTERNET FW = PANOS 8.1.x

We have IPSEC tunnels between our PAN FW and BlueCoat Datacenters. BlueCoat were doing maintenance on their datapods last week.
- DPD on our PLWALFW did NOT kick in correctly. After tunnel down, IKE PHASE2 is being done for 7 or 8 hours without result. After that an IKE PHASE 1 is done and the tunnel comes back up correctly.
- BlueCoat support tells us that all other customers automatically RESTART the SAME tunnel and that the tunnel is automatically back up. These customers seemt o do IKE PHASE1 immediately after they have seen a problem with the tunnel. This same behaviour we see on our INTERNET FW, no IKE PHASE2, but IKE PHASE 1 immediately.
- We suspect a problem in PANOS10.2.2.h2.(pl confirm)
- We see the same behaviour on PLJELFWxx and FREDDFWxx. They are all in PANOS 10.2.2.h2.
I have discussed this with BlueCoat Support. All customers fail over correctly to a different POD in the same datacenter, except our FW, who starts doing IKE PHASE2, which should not be the case.

Please let us know what we need to do.

Re: No DPD message while peer tunnel is down

tusharbanik — Tue, 14 Mar 2023 20:11:12 GMT

Attached the screenshot.

tusharbanik — Tue, 14 Mar 2023 21:18:11 GMT

Anyone?? need suggestion.