https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/540197#M1182 <P>Hi ,</P> <P>&nbsp;</P> <P>We've setup Site to Site IPsec VPN between Palo Alto Firewalls. The tunnel was up and working but it went down after some time.</P> <P>Look like the tunnel went down because there is no traffic passing through the tunnel. Everytime we&nbsp;need to trigger IPsec tunnel by using &gt;<EM>test vpn ike-sa gateway </EM>to bring up.</P> <P><SPAN>How can we configure the tunnel to be up all the time even there is no traffic passing through the tunnel?</SPAN></P> <P><SPAN>Do we need to enable tunnel-monitor ? Are there any other ways to make the tunnel up all the time?</SPAN></P> <P><SPAN>We are using IKEv2 preferred mode and we already enabled DPD for Ikev1 and liveliness check for ikev2.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please help suggest.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 26 Apr 2023 13:24:36 GMT EvanRaci 2023-04-26T13:24:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/540197#M1182 <P>Hi ,</P> <P>&nbsp;</P> <P>We've setup Site to Site IPsec VPN between Palo Alto Firewalls. The tunnel was up and working but it went down after some time.</P> <P>Look like the tunnel went down because there is no traffic passing through the tunnel. Everytime we&nbsp;need to trigger IPsec tunnel by using &gt;<EM>test vpn ike-sa gateway </EM>to bring up.</P> <P><SPAN>How can we configure the tunnel to be up all the time even there is no traffic passing through the tunnel?</SPAN></P> <P><SPAN>Do we need to enable tunnel-monitor ? Are there any other ways to make the tunnel up all the time?</SPAN></P> <P><SPAN>We are using IKEv2 preferred mode and we already enabled DPD for Ikev1 and liveliness check for ikev2.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please help suggest.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 26 Apr 2023 13:24:36 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/540197#M1182 EvanRaci 2023-04-26T13:24:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/540224#M1183 <P>Either tunnel monitor or path monitoring inside virtual router.</P> <P>Without them tunnel will not be renegotiated if no interesting traffic.</P> Wed, 26 Apr 2023 18:08:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/540224#M1183 Raido_Rattameister 2023-04-26T18:08:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/544747#M1386 <P>After Checking Config , the issue is DH value mismatch. Change both side to same DH Value and now working fine&nbsp;</P> Mon, 05 Jun 2023 06:25:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-site-to-site-ipsec-vpn-went-down/m-p/544747#M1386 EvanRaci 2023-06-05T06:25:08Z