https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531276#M109557 <P>I am seeing a similar issue that I'm trying to work through. In your setup, is there is a single WAN interface at the site, or are you failing over to another WAN interface? Is either side of the tunnel in dynamic, or passive mode?</P> <P>Do you have "Liveness Check" enabled in the IKE settings?</P> Wed, 15 Feb 2023 18:56:16 GMT ksalustro 2023-02-15T18:56:16Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/518010#M107474 <P>Hello,</P> <P>&nbsp;</P> <P>We have 2 IPsec tunnels s2s between 2 Palo Alto firewalls.</P> <P>We are using ike-v2 gateways, and liveness check : 5s</P> <P>&nbsp;</P> <P>The WAN on one of the side is flapping, sometimes disconnect around 10min. After this disconnection, the tunnel does not re-establish immediately, it takes around 15min.</P> <P>&nbsp;</P> <P>We have also configured tunnel monitors on both sides, we have assigned IP addresses on tunnel interfaces, and we are monitoring these IPs, the monitor are UP and active.</P> <P>&nbsp;</P> <P>Do you know why it's not reconnecting immediately after the WAN back up ? Is there something to do in terms of config ?</P> Sun, 16 Oct 2022 06:16:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/518010#M107474 CTramier 2022-10-16T06:16:22Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/518514#M107570 <P>In fact, when the public IP is reachable again, we can see the tunnel is briefly re-established then go down again, and we need to bounce it manually to have it reconnected.</P> Thu, 20 Oct 2022 12:17:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/518514#M107570 CTramier 2022-10-20T12:17:31Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531276#M109557 <P>I am seeing a similar issue that I'm trying to work through. In your setup, is there is a single WAN interface at the site, or are you failing over to another WAN interface? Is either side of the tunnel in dynamic, or passive mode?</P> <P>Do you have "Liveness Check" enabled in the IKE settings?</P> Wed, 15 Feb 2023 18:56:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531276#M109557 ksalustro 2023-02-15T18:56:16Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531277#M109558 <P>Also is there any NAT involved and if so, do you have NAT-T enabled?</P> Wed, 15 Feb 2023 18:58:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531277#M109558 ksalustro 2023-02-15T18:58:26Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531735#M109651 <P>Better enable IKE debugs and to see what is happening as to not make wild suggestions:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO</A></P> <P>&nbsp;</P> Mon, 20 Feb 2023 10:43:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-takes-long-time-to-re-establish/m-p/531735#M109651 nikoolayy1 2023-02-20T10:43:43Z