https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-vpn-negotiation-issues/m-p/544151#M1366 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/251459">@Partner_Infra</a> ,</P> <P>Am I understanding your question correctly:</P> <P>- You have multiple VPN tunnels</P> <P>- In some case your public Internet connection is going down and up again after some time</P> <P>- After the Internet line is restored most of the VPN tunnel are restored, but only one is not re-established and still show "red" status in GUI</P> <P>- When you execute the "test vpn" command tunnel is re-established successfully.</P> <P>&nbsp;</P> <P>The majority of network devices will initiate VPN negotiation ONLY when they receive traffic that needs to be forwarded over the tunnel.</P> <P>From your explanation it seems that there is no traffic initiated/sourced from your internal network that will trigger VPN negotion. "test vpn" command is forcing the firewall to start VPN negotiation even if there is not actual traffic that will pass over the tunnel.</P> <P>&nbsp;</P> <P>If you just expect this tunnel to re-establish immediately, like the rest of the tunnel - it could be just that this tunnel is not used very often and and you need to wait longer for real traffic that it will initiate tunnel negotiation.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 31 May 2023 12:02:00 GMT aleksandar.astardzhiev 2023-05-31T12:02:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-vpn-negotiation-issues/m-p/544077#M1362 <P>Dear Members,</P> <P>Greeting to All!</P> <P>&nbsp;</P> <P>Curranty, I'm using site to site multiple VPN configuration with Palo alto Firewall to different vendor site. All of the tunnel is working fine VPN ok.</P> <P>My main problem is inside of my firewall public internet down then coming to UP in case, Some of the tunnel is came to up and show green. But one of the tunnel status is still down even internet interface after UP. So, in case when I go to the CLI mode then type the following command the tunnel is came to UP.</P> <P>&nbsp;</P> <P>test vpn ike-sa gateway IKE_Prod_V2&nbsp; &nbsp;</P> <P>Start time: May.31 10:16:15<BR />Initiate 1 IKE SA.</P> <P>&nbsp;</P> <P>I want to clarify how can we solve for my current issues that we no need&nbsp; to run without test vpn ike-sa gateway IKE_Prod_V2 command.</P> <P>Please kindly helps me.</P> <P>&nbsp;</P> <P>Pyie Phyo Htay.</P> Wed, 31 May 2023 04:08:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-vpn-negotiation-issues/m-p/544077#M1362 Partner_Infra 2023-05-31T04:08:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-vpn-negotiation-issues/m-p/544151#M1366 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/251459">@Partner_Infra</a> ,</P> <P>Am I understanding your question correctly:</P> <P>- You have multiple VPN tunnels</P> <P>- In some case your public Internet connection is going down and up again after some time</P> <P>- After the Internet line is restored most of the VPN tunnel are restored, but only one is not re-established and still show "red" status in GUI</P> <P>- When you execute the "test vpn" command tunnel is re-established successfully.</P> <P>&nbsp;</P> <P>The majority of network devices will initiate VPN negotiation ONLY when they receive traffic that needs to be forwarded over the tunnel.</P> <P>From your explanation it seems that there is no traffic initiated/sourced from your internal network that will trigger VPN negotion. "test vpn" command is forcing the firewall to start VPN negotiation even if there is not actual traffic that will pass over the tunnel.</P> <P>&nbsp;</P> <P>If you just expect this tunnel to re-establish immediately, like the rest of the tunnel - it could be just that this tunnel is not used very often and and you need to wait longer for real traffic that it will initiate tunnel negotiation.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 31 May 2023 12:02:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-vpn-negotiation-issues/m-p/544151#M1366 aleksandar.astardzhiev 2023-05-31T12:02:00Z