https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38368#M28105 <HTML><HEAD></HEAD><BODY><P>I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy. </P><P></P><P>I also noticed that the link status never even updated when the link went down, which is concerning.</P></BODY></HTML> Fri, 25 Apr 2014 16:08:38 GMT carpediem79 2014-04-25T16:08:38Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38363#M28100 <HTML><HEAD></HEAD><BODY><P>I want to disable an IPSec VPN. I have currently blocked traffic both directions to the tunnel by using a Security Policies, but there should be a way to disable the tunnel in the IPSec configuration (or alternatively, disable the tunnel interface). I don't want to delete it, but I don't want it taking up processor speed for a tunnel that I don't want turned on.</P></BODY></HTML> Fri, 25 Apr 2014 14:23:09 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38363#M28100 blandis 2014-04-25T14:23:09Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38364#M28101 <HTML><HEAD></HEAD><BODY><P>Currently, there isn't a nice "disable" button for IPSec Tunnel Configuration - but I do see the value in being able to disable tunnels at-will.&nbsp; For this case, I have created an "IKE Gateway" called "disabled" and populated it with bogus information.&nbsp; Then, when I need to disable a tunnel, I go change the IKE Gateway to "disabled" and commit.&nbsp; It has the same effect - and I've deleted nothing.&nbsp; </P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 25 Apr 2014 14:41:31 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38364#M28101 jvalentine 2014-04-25T14:41:31Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38365#M28102 <HTML><HEAD></HEAD><BODY><P>That is a possible workaround, but it will still try to connect, using CPU and continuous log messages.</P></BODY></HTML> Fri, 25 Apr 2014 14:44:20 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38365#M28102 blandis 2014-04-25T14:44:20Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38366#M28103 <HTML><HEAD></HEAD><BODY><P>Agreed - it's a workaround - not a complete solution. </P><P></P><P>Ultimately, if you want a "disable" button in the IPSec configuration, you'll need to file a Feature Request with your local Palo Alto Networks sales engineer.&nbsp; </P></BODY></HTML> Fri, 25 Apr 2014 14:55:15 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38366#M28103 jvalentine 2014-04-25T14:55:15Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38367#M28104 <HTML><HEAD></HEAD><BODY><P>Actually, this might cause alarms on the opposing firewall, which I don't want, so maybe a security block is a better solution anyways.</P></BODY></HTML> Fri, 25 Apr 2014 15:26:01 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38367#M28104 blandis 2014-04-25T15:26:01Z https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38368#M28105 <HTML><HEAD></HEAD><BODY><P>I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy. </P><P></P><P>I also noticed that the link status never even updated when the link went down, which is concerning.</P></BODY></HTML> Fri, 25 Apr 2014 16:08:38 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-an-ipsec-tunnel/m-p/38368#M28105 carpediem79 2014-04-25T16:08:38Z