https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/226525#M65213 <P>Hi all,</P><P>&nbsp;</P><P>I added second ISP to firewall and created ECMP for dual ISP followed those guides:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339#" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339#</A></P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774</A></P><P>&nbsp;</P><P>when I'm trying to configure tunnel monitoring on the IPSEC tunnels (after I configure tunnel interface IPv4 from local network subnet) the connection drops and cann't connect again.</P><P>Only after I disable the tunnel monitoring settings the vpn connection comes up&nbsp;again.</P><P>&nbsp;</P><P>anyone has suggestions what to do or what to check for it.</P><P>&nbsp;</P><P>Thank you all.</P><P>&nbsp;</P> Wed, 08 Aug 2018 22:08:15 GMT SShnap 2018-08-08T22:08:15Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/226525#M65213 <P>Hi all,</P><P>&nbsp;</P><P>I added second ISP to firewall and created ECMP for dual ISP followed those guides:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339#" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339#</A></P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774</A></P><P>&nbsp;</P><P>when I'm trying to configure tunnel monitoring on the IPSEC tunnels (after I configure tunnel interface IPv4 from local network subnet) the connection drops and cann't connect again.</P><P>Only after I disable the tunnel monitoring settings the vpn connection comes up&nbsp;again.</P><P>&nbsp;</P><P>anyone has suggestions what to do or what to check for it.</P><P>&nbsp;</P><P>Thank you all.</P><P>&nbsp;</P> Wed, 08 Aug 2018 22:08:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/226525#M65213 SShnap 2018-08-08T22:08:15Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/226655#M65241 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a>,</P><P>What version of PAN-OS are you running?&nbsp;</P> Thu, 09 Aug 2018 19:55:42 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/226655#M65241 BPry 2018-08-09T19:55:42Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/229048#M65836 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>&nbsp;</P><P>I'm running PAVM200 with PANOS 8.0.0</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 31 Aug 2018 17:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/229048#M65836 SShnap 2018-08-31T17:54:21Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/229050#M65838 <P>- You shouldn't be using 8.0.0 anymore by far; update PAN-OS to something like 8.0.10 so you get the security fixes and all of the associated fixes, base images are&nbsp;<STRONG>not</STRONG> production ready.&nbsp;</P><P>- Depending on what you have specified in the tunnel monitoring profile this would be an expected action. When used in conjunction with DPD the montioring profile only has two options&nbsp;<EM>wait recover</EM> or&nbsp;<EM>fail over</EM>. In either case the firewall will attempt to recover by negotiating new IPSec keys. When certain peer devices see this action they will sometimes close the connection on their end depending on the configuration.&nbsp;</P><P>&nbsp;</P><P>I would start by simply upgrading the PAN-OS version, because you shouldn't be running 8.0.0 anymore. That likely won't fix it, but it's better for your device as a whole. Since you are only running into an issue with the tunnel montioring profile active verify what the monitoring profile actually has set for the action. It could easily be that the peer device simply is dropping the connection when the PA attempts to re-key.</P> Fri, 31 Aug 2018 18:28:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-ipsec-vpn-tunnel-monitor-drops-the-connection/m-p/229050#M65838 BPry 2018-08-31T18:28:15Z