https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209873#M61325 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>,</P><P>&nbsp;</P><P>I did use tunnel-monitoring with the following params, and associated it with the IPSec tunnel:</P><P>1. Action - Wait-Recover</P><P>2. Interval - 2 secs</P><P>3. Threshold - 2 secs</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P> Thu, 12 Apr 2018 19:50:18 GMT rameshgi 2018-04-12T19:50:18Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209833#M61312 <P>Hi community,</P><P>&nbsp;</P><P>I have a site-to-site IPSec connectivity with Palo Alto gateway (PA-VM 8.0.5 on kvm hypervisor - CentOS 7 host) on one end as initiator and Vyatta OS based gateway on the other end as acceptor.</P><P>&nbsp;</P><P>When IKEv2 and IPSec (and BGP) are in established state, and the Vyatta OS reboots, it takes about 6 minutes for PA-VM to detect outage and renegotiate IKEv2.</P><P><BR />The IKE Crypto has "Key Lifetime" set to 8 hours.</P><P>&nbsp;</P><P>My question:</P><P>1. What configuration needs to be done (or can be done) in PA-VM for IKE to negotiate sooner ? (Is it a good idea to set Key Lifetime param in IKE Crypto to 3 minutes ?)</P><P>&nbsp;</P><P>2. What is the industry best practice for setting up site-to-site VPNs in order to minimize outages due to peer firewall going down ?</P><P>&nbsp;</P><P>Regards</P><P><BR />Thanks in advance.</P> Thu, 12 Apr 2018 17:37:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209833#M61312 rameshgi 2018-04-12T17:37:19Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209872#M61324 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/87432">@rameshgi</a>,</P><P>I imagine that you are not doing any tunnel monitoring?&nbsp;</P> Thu, 12 Apr 2018 19:35:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209872#M61324 BPry 2018-04-12T19:35:55Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209873#M61325 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>,</P><P>&nbsp;</P><P>I did use tunnel-monitoring with the following params, and associated it with the IPSec tunnel:</P><P>1. Action - Wait-Recover</P><P>2. Interval - 2 secs</P><P>3. Threshold - 2 secs</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P> Thu, 12 Apr 2018 19:50:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-renegotiation-on-acceptor-gateway-reboot/m-p/209873#M61325 rameshgi 2018-04-12T19:50:18Z