https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220462#M123300 <P>Hello Mams and Sirs,</P> <P>&nbsp;</P> <P>I need your advice here.</P> <P>&nbsp;</P> <P>I have configured an ikev2 policy based site to site VPN between our Palo Alto and client Arista ETM. I manage the Palo Alto.</P> <P>&nbsp;</P> <P>The status of the VPN shows up. But, communication between the subnets(local and remote) stop abruptly until, I generate some traffic by pinging each of their VLANs/subnets from our server.</P> <P>&nbsp;</P> <P>All the parameters look correct on both sides.</P> <P>&nbsp;</P> <P>What I observed is that continuous pings from the Palo Alto side keep the communication up.</P> <P>Is this a normal behaviour or does any change have to be made on either device? Please help.</P> Mon, 17 Feb 2025 13:53:22 GMT msdphi 2025-02-17T13:53:22Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220462#M123300 <P>Hello Mams and Sirs,</P> <P>&nbsp;</P> <P>I need your advice here.</P> <P>&nbsp;</P> <P>I have configured an ikev2 policy based site to site VPN between our Palo Alto and client Arista ETM. I manage the Palo Alto.</P> <P>&nbsp;</P> <P>The status of the VPN shows up. But, communication between the subnets(local and remote) stop abruptly until, I generate some traffic by pinging each of their VLANs/subnets from our server.</P> <P>&nbsp;</P> <P>All the parameters look correct on both sides.</P> <P>&nbsp;</P> <P>What I observed is that continuous pings from the Palo Alto side keep the communication up.</P> <P>Is this a normal behaviour or does any change have to be made on either device? Please help.</P> Mon, 17 Feb 2025 13:53:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220462#M123300 msdphi 2025-02-17T13:53:22Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220675#M123301 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/722572629">@msdphi</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes,&nbsp;<SPAN>IPSec tunnel comes up only when there is an interesting traffic destined to the tunnel.&nbsp;</SPAN></P> <P><SPAN>Check the bullet "<STRONG class="ph b">Interesting Traffic or On-Demand" </STRONG>on this page which explains:</SPAN></P> <P><SPAN><STRONG class="ph b"><A href="https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/ipsec-vpn-basics/ipsec-vpn-tunnels" target="_blank">https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/ipsec-vpn-basics/ipsec-vpn-tunnels</A></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the firewall:</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-tunnel-monitoring" target="_blank"><STRONG>https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-tunnel-monitoring</STRONG></A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps,</SPAN></P> <P><SPAN>-Kim.</SPAN></P> Mon, 17 Feb 2025 16:47:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220675#M123301 kiwi 2025-02-17T16:47:07Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220679#M123302 <P>Thank you, Kim.</P> <P>&nbsp;</P> <P>I already have liveliness check enabled and tunnel monitoring won't be possible. Because the client has multiple VLANs. But, configure multiple monitoring IP address is not possible.</P> <P>&nbsp;</P> <P>I may be wrong. Please advise.</P> Mon, 17 Feb 2025 18:51:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220679#M123302 msdphi 2025-02-17T18:51:49Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220723#M123307 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/722572629">@msdphi</a>&nbsp;,</P> <P>&nbsp;</P> <P>Correct, tunnel monitoring only allows you to monitor one IP.</P> <P>Why would you monitor more ? For Tunnel monitoring you usually monitor an IP closest to the tunnel IP.</P> <P>&nbsp;</P> <P>If you want to check on different VLANs being available I think you should look into path monitoring instead.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Tue, 18 Feb 2025 09:10:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220723#M123307 kiwi 2025-02-18T09:10:25Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220728#M123308 <P>Why would you monitor more ? For Tunnel monitoring you usually monitor an IP closest to the tunnel IP--- so, the problem is that unless I keep continuous pings going to each of their LAN gateways, the communication stops, though the vpn shows as up. But that's not a good solution. I thought we might phase 2 parameters&nbsp; there&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you want to check on different VLANs being available I think you should look into path monitoring instead.--- okay will check ..&nbsp;</P> Tue, 18 Feb 2025 10:01:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-site-to-site-vpn-between-arista-etm-and-palo-alto/m-p/1220728#M123308 msdphi 2025-02-18T10:01:00Z