https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22385#M16320 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Were the colours of the VPN, green and red, even with multiple page refreshes? The screenshot below shows the status of the IKE and the IPSEC. The first one on the left, shows the status of IPSEC-ESP and the one on the right, shows the status of the IKE.</P><P><IMG alt="IKe-statis.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10830_IKe-statis.JPG.jpg" style="width: 620px; height: 82px;" /></P><P>Again that depends on how long the outage was. All though the Lifetime of IPSEC-ESP and IKE can be ( like by default ) 1 hour and 8 hours respectively, the session timeout values for IPSEC-ESP and IKE are 3600 secs and 30 secs respectively. Lifetime determines the amount of time that the parties have to wait before they rekey again. Once a VPN is up, the firewall maintains sessions for IKE and IPSEC-ESP. If the firewall doesn't receive packets within the session timeout values, it discards the session. That being the case, had there been an outage, the session for IPSEC-ESP would still remain active for a longer duration than the IKE session ( When there is an ISP outage, no ESP or IKE packets would reach either firewall).</P><P></P><P>Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI.</P><P></P><P>Hope that helps!</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Fri, 10 Jan 2014 15:19:40 GMT kprakash 2014-01-10T15:19:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22384#M16319 <HTML><HEAD></HEAD><BODY><P>I had one of our remote sites go offline two days ago due to an ISP outage. However, the site to site link showed as up for several hours before it finally dropped and showed as offline. IS there a setting to have this respond faster so it shows offline within minutes? Or is this working as designed?</P></BODY></HTML> Fri, 10 Jan 2014 14:43:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22384#M16319 carpediem79 2014-01-10T14:43:14Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22385#M16320 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Were the colours of the VPN, green and red, even with multiple page refreshes? The screenshot below shows the status of the IKE and the IPSEC. The first one on the left, shows the status of IPSEC-ESP and the one on the right, shows the status of the IKE.</P><P><IMG alt="IKe-statis.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10830_IKe-statis.JPG.jpg" style="width: 620px; height: 82px;" /></P><P>Again that depends on how long the outage was. All though the Lifetime of IPSEC-ESP and IKE can be ( like by default ) 1 hour and 8 hours respectively, the session timeout values for IPSEC-ESP and IKE are 3600 secs and 30 secs respectively. Lifetime determines the amount of time that the parties have to wait before they rekey again. Once a VPN is up, the firewall maintains sessions for IKE and IPSEC-ESP. If the firewall doesn't receive packets within the session timeout values, it discards the session. That being the case, had there been an outage, the session for IPSEC-ESP would still remain active for a longer duration than the IKE session ( When there is an ISP outage, no ESP or IKE packets would reach either firewall).</P><P></P><P>Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI.</P><P></P><P>Hope that helps!</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Fri, 10 Jan 2014 15:19:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22385#M16320 kprakash 2014-01-10T15:19:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22386#M16321 <HTML><HEAD></HEAD><BODY><P>All 3 status lights were green even after multiple refreshes. This was 3 hours after the outage occurred. </P><P></P><P>"<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI.</SPAN>"</P><P></P><P>I do not accept that as a proper method of knowing what is going on. If they have status indicators on the web gui, then they should do what is expected of them and properly indicate the status. If it requires some config changes to make it work better, that is fine, but the PA appliance should be able to provide us with adequate monitoring information.</P></BODY></HTML> Fri, 10 Jan 2014 15:36:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22386#M16321 carpediem79 2014-01-10T15:36:32Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22387#M16322 <HTML><HEAD></HEAD><BODY><P>Carpediem,</P><P>Do you mean that the outage was for 3 hours, and yet the status lights were green during these 3 hours? We dont have any other extra configuration for the WEB GUI to reflect the correct status. In all my prior experience, I have seen the appropriate status show up whenever the tunnel went down ( even with both automatic and manual page refreshes, and on the cli ). The next time you encounter this issue, please raise a ticket with the TAC. </P></BODY></HTML> Fri, 10 Jan 2014 15:49:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22387#M16322 kprakash 2014-01-10T15:49:36Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22388#M16323 <HTML><HEAD></HEAD><BODY><P>That is correct. </P><P></P><P>Will do. Just wanted to see if anyone else had run into a similar issue.&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Fri, 10 Jan 2014 15:50:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22388#M16323 carpediem79 2014-01-10T15:50:56Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22389#M16324 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Could you please try with tunnel monitoring to bring the tunnel down, while there will be an outage from ISP.</P><P></P><P><IMG __jive_id="10819" alt="tunnel-monitoring.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10819_tunnel-monitoring.JPG.jpg" style="width: 620px; height: 520px;" /></P><P></P><P>Also refer below mentioned knowledge base article for more information:</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6070">How to Verify if the IPSec Tunnel Monitoring is Working?</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1323">Dead Peer Detection and Tunnel Monitoring</A></P><P><A href="https://live.paloaltonetworks.com/message/9909">Re: IPSEC-Tunnel Monitoring "tunnel-status-down"</A></P><P></P><P></P><P>Thanks</P></BODY></HTML> Fri, 10 Jan 2014 15:52:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22389#M16324 HULK 2014-01-10T15:52:05Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22390#M16325 <HTML><HEAD></HEAD><BODY><P>Did the system logs show that the VPN was down? If so, I think its then a GUI issue. What is the PANOS version that the box is running on? </P></BODY></HTML> Fri, 10 Jan 2014 16:08:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22390#M16325 kprakash 2014-01-10T16:08:39Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22391#M16326 <HTML><HEAD></HEAD><BODY><P>Tunnel monitoring sounds like it may do the trick. I am guessing that uses ping to verify the connection is up and then shows status as down once it fails to receive a response for the allotted time?</P><P></P><P>If so, that is something I will test during one of our upcoming maintenance windows.</P></BODY></HTML> Fri, 10 Jan 2014 16:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-delayed-status-update/m-p/22391#M16326 carpediem79 2014-01-10T16:21:48Z