https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224113#M123687 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227661985">@AY_FASAR</a>&nbsp;to clarify your issue - the tunnel states it is up on both ends, but there is no traffic flowing through it? Working through something similar to this myself.&nbsp;</P> <P>&nbsp;</P> <P>A few thoughts:&nbsp;</P> <UL> <LI>Could a Zone Protection Profile be blocking traffic?&nbsp;</LI> <LI>I believe a packet capture may be best, especially with logging packet-diag features enabled.&nbsp;</LI> <LI>An easy win - make sure NTP settings are valid on both ends of the tunnel.&nbsp;</LI> <LI>It could be worthwhile to follow up with the ISP.&nbsp;</LI> <LI>Is the far end device also a Palo Alto Networks NGFW?&nbsp;</LI> <LI>Wildcard thought - MTU size?&nbsp;</LI> <LI>What version of PAN-OS are you running?&nbsp;</LI> </UL> <P>Will keep you updated if I find RCA in my case.&nbsp;</P> Tue, 18 Mar 2025 16:23:34 GMT nohash4u 2025-03-18T16:23:34Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224018#M123671 <P>Hi,</P> <P>&nbsp;</P> <P>Is there a command to check if a tunnel went down on a specific time and why it happened.</P> <P>I have a tunnel set-up to a 3rd party where they keep monitoring some of their servers. They inform me that they receive alarms every hour that the endpoint is down and its not coming back up for about 15 min.</P> <P>I cant see anything obvious. I have done show vpn flow name ...&nbsp; but I cant see any error there. is there any other logs that I could check to see those disconnections that 3rd party mentioning and if I can get any clue from the output why the tunnels going down.</P> <P>&nbsp;</P> Mon, 17 Mar 2025 14:22:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224018#M123671 AY_FASAR 2025-03-17T14:22:44Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224033#M123675 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227661985">@AY_FASAR</a>&nbsp;wrote:<BR /> <P>Hi,</P> <P>&nbsp;</P> <P>Is there a command to check if a tunnel went down on a specific time and why it happened.</P> <P>I have a tunnel set-up to a 3rd party where they keep monitoring some of their servers. They inform me that they receive alarms every hour that the endpoint is down and its not coming back up for about 15 min.</P> <P>I cant see anything obvious. I have done show vpn flow name ...&nbsp; but I cant see any error there. is there any other logs that I could check to see those disconnections that 3rd party mentioning and if I can get any clue from the output why the tunnels going down.</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>If you look in the GUI logs, (system) and filter on type of "VPN" (I think.) that should give you the logs you're looking for.&nbsp; I would also add&nbsp;time stamps filters with a "geq" (after - greater than equal to) &amp; "leq" (before - less than equal to) for the time period you had VPN issues.&nbsp; You can look through the logs and find errors much easier that way.</P> Mon, 17 Mar 2025 17:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224033#M123675 Brandon_Wertz 2025-03-17T17:58:39Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224088#M123685 <P>all I can see is just the key negotiation, nothing else to suggest there is an issue. 3rd party insists that they sent traffic down the tunnel to us and that they get dropped our end. if they keep sending traffic, means the tunnel stays up all the time but there is some other issue.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Could the traffic getting dropped some how during the rekey phase? if there is possibility, is there a debug or packet capture to prove this? with packet capture it might be a bit tricky as the issue is intermittent.</P> Tue, 18 Mar 2025 10:11:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224088#M123685 AY_FASAR 2025-03-18T10:11:10Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224113#M123687 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227661985">@AY_FASAR</a>&nbsp;to clarify your issue - the tunnel states it is up on both ends, but there is no traffic flowing through it? Working through something similar to this myself.&nbsp;</P> <P>&nbsp;</P> <P>A few thoughts:&nbsp;</P> <UL> <LI>Could a Zone Protection Profile be blocking traffic?&nbsp;</LI> <LI>I believe a packet capture may be best, especially with logging packet-diag features enabled.&nbsp;</LI> <LI>An easy win - make sure NTP settings are valid on both ends of the tunnel.&nbsp;</LI> <LI>It could be worthwhile to follow up with the ISP.&nbsp;</LI> <LI>Is the far end device also a Palo Alto Networks NGFW?&nbsp;</LI> <LI>Wildcard thought - MTU size?&nbsp;</LI> <LI>What version of PAN-OS are you running?&nbsp;</LI> </UL> <P>Will keep you updated if I find RCA in my case.&nbsp;</P> Tue, 18 Mar 2025 16:23:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224113#M123687 nohash4u 2025-03-18T16:23:34Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224139#M123689 <P>I dont believe its NTP or anything similar, all other tunnels working fine. it's only this tunnel's 3rd party and the issue is intermittent.</P> <P>Not sure what vendor is 3rd party's gateway but I can check.</P> Tue, 18 Mar 2025 21:13:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224139#M123689 AY_FASAR 2025-03-18T21:13:08Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224323#M123722 <P>Ok, sounds good. I will likely be opening a TAC case. I will keep you posted.&nbsp;</P> Thu, 20 Mar 2025 15:38:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1224323#M123722 nohash4u 2025-03-20T15:38:35Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1226444#M123977 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227661985">@AY_FASAR</a>&nbsp;did you ever get a resolution? I thought I would provide an update from my end. The TAC case unfortunately fizzled out as dump level debugging was not enabled, and it was deemed unwise to leave this level of debugging on until the issue reoccurred given the strain it puts on the firewall. That being said, a senior engineer I work with noticed two things:&nbsp;</P> <P>&nbsp;</P> <OL> <LI>An unusual frequency of IKE rekeying.&nbsp;</LI> <LI>The source IP of the IKE rekeying not aligning with the expected configuration on the firewall. This was attributed to an issue with the ISP, and is being investigated.&nbsp;</LI> </OL> <P>I hope this helps.&nbsp;<BR />&nbsp;</P> Mon, 14 Apr 2025 16:34:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-intermittent-disconnection-issue/m-p/1226444#M123977 nohash4u 2025-04-14T16:34:25Z