https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131171#M46921 <P>Hi,</P><P>&nbsp;</P><P>I reviewed ikemgr.log but could not find anything realted to this, I enabled debug for ikemgr.log as well but no luck.</P> Mon, 05 Dec 2016 15:24:54 GMT fozail 2016-12-05T15:24:54Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/130997#M46889 <P>Hi There,</P><P>&nbsp;</P><P>I configured two IPSEC VPN on PA, as PA has two ISP connectivity. Configured a PBF to forward the traffic through primary tunnel interface and enabled monitoring to monitor trust interface of remote PA. A route was configured to forward the traffic the traffic through secondary tunnel interface.</P><P>&nbsp;</P><P>I found that traffic was always forwarded through secondary tunnel interface. Reviewed and could see that PBF is in DISABLED state as I had enabled if monitor is not successfull disable this PBF.</P><P>&nbsp;</P><P>Reviewed and could see that PBF moniotr got failed because tunnel interface was down.</P><P>&nbsp;</P><P>As I am not doing any tunnel monitoring, tunnel monitor should not go down at all&nbsp;if appliance is up and running.</P><P>&nbsp;</P><P>Can you please let me know how to find out why tunnel interface went down?</P><P>&nbsp;</P><P>Best Regards,</P><P>&nbsp;</P><P>Fozail</P> Sun, 04 Dec 2016 09:54:49 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/130997#M46889 fozail 2016-12-04T09:54:49Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131077#M46901 <P>Maybe there was no traffic to keep that tunnel alive.&nbsp;</P> Mon, 05 Dec 2016 09:01:44 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131077#M46901 santonic 2016-12-05T09:01:44Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131099#M46905 <P>Hi,</P><P>&nbsp;</P><P>Could you check ikemgr.logs:</P><P>&nbsp;</P><P>&gt; tail lines 100 mp-log ikemgr.log</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 05 Dec 2016 10:13:47 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131099#M46905 TranceforLife 2016-12-05T10:13:47Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131171#M46921 <P>Hi,</P><P>&nbsp;</P><P>I reviewed ikemgr.log but could not find anything realted to this, I enabled debug for ikemgr.log as well but no luck.</P> Mon, 05 Dec 2016 15:24:54 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131171#M46921 fozail 2016-12-05T15:24:54Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131172#M46922 <P>Hi,</P><P>&nbsp;</P><P>I mean to say that tunnel interface went down not IPSEC VPN.</P> Mon, 05 Dec 2016 15:25:46 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131172#M46922 fozail 2016-12-05T15:25:46Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131199#M46929 <P>Do you have a static or dymaic IP on both ends of the tunnel? If you go into the Montior and then the System tab using the&nbsp;( subtype eq vpn ) query string will show you all VPN events, it may show you that the IKE or IPSEC didn't negotiate correctly or possibly were deleted before negotiating a new set of keys.&nbsp;</P> Mon, 05 Dec 2016 16:10:30 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131199#M46929 BPry 2016-12-05T16:10:30Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131210#M46931 <P>Hi,</P><P>&nbsp;</P><P>I checked the system log with subtype as vpn, but could not find anything related to tunnel interface.</P><P>&nbsp;</P><P>Attempted to review the output of the command "show log system | match tunnel.5" but no luck.</P><P>&nbsp;</P><P>IPSEC VPN gets negotiated successfully, both phase-I and phase-II reflects green, only tunnel interface is down and hence the routes associated with that tunnel interface gets removed from routing table.</P> Mon, 05 Dec 2016 16:24:12 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131210#M46931 fozail 2016-12-05T16:24:12Z https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131248#M46939 <P>If you run&nbsp;<EM>show vpn ipsec-sa tunnel<STRONG>&nbsp;</STRONG></EM>*name*, do you show anything under the ipsec? It sounds like you likely have a part of the configuaration malformed.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>If tunnels are up but traffic is not passing through the tunnel:</P><UL><LI>Check security policy and routing.</LI><LI>Check for any devices upstream that perform port-and-address-translations. Because ESP is a layer 3 protocol, ESP packets do not have port numbers. When such devices receive ESP packets, there is a high possibility they may silently drop them, because they do not see the port numbers to translate.</LI><LI>Apply debug packet filters, captures or logs, if necessary, to isolate the issue where the traffic is getting dropped.</LI></UL> Mon, 05 Dec 2016 18:19:33 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-any-reason-that-tunnel-interface-will-go-down/m-p/131248#M46939 BPry 2016-12-05T18:19:33Z