https://live.paloaltonetworks.com/t5/general-topics/ikev2-keepalive-tuning/m-p/342674#M85856 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42773">@nikoo</a>,</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42773">@nikoo</a>&nbsp;wrote: <P>Basically, what are your options to detect the IPSec tunnel peer down condition and act as soon as possible, meaning, tear down the tunnel and start re-negotiation.</P> <HR /></BLOCKQUOTE> <P>Scripting and the API.&nbsp;<BR /><BR /></P> <P>The best way that I've found to deal with something like this is having something on each end (can be as dumb as a raspberry pi) which is simply performing a basic ICMP check via a scheduled script. If the script notices a tunnel is down, then it goes out and clears the connection and starts a test to bring things back online and make it functional in the shortest timeframe possible.</P> <P>The benefit of this type of solution is that the ICMP check itself in a lot of cases will cause enough traffic to keep all of the tunnels online baring an actual connectivity issue.&nbsp;</P> Fri, 07 Aug 2020 12:46:41 GMT BPry 2020-08-07T12:46:41Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-keepalive-tuning/m-p/342647#M85854 <P>IKEv2 on PA has built in keepalive mechanism, but it can only act if the communication is lost for more than 5 minutes:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC</A></P><P>After testing it out, about 7-8 minutes passed until Palo Alto detected lost peer and did reset of the tunnel.</P><P>That's happening due to built in algorithm:</P><P><EM>The default interval of liveness checking is every 5 seconds when SA is idle.&nbsp;Upon losing connection, the firewall will do 10 liveness retries with increasing timeout (seconds) for each retry as follows:</EM></P><P>&nbsp;</P><P><EM>1 + 2 + 4 + 8 + 16 + 32 + 64 + 64 + 64 + 64 = 319 seconds (about 5 minutes)</EM></P><P>&nbsp;</P><P>.. meaning it is not configurable in any way? Is there a way to speed it up?</P><P>Tunnel monitoring didn't seem to be an option, because tunnel is proxyID based and there are 4 proxyIDs configured - tunnel monitoring was working properly for one of them (source/destination pair), but at the same time concluded that other 3 of them are down and did the reset every 10 seconds or so which is not acceptable.</P><P>&nbsp;</P><P>Basically, what are your options to detect the IPSec tunnel peer down condition and act as soon as possible, meaning, tear down the tunnel and start re-negotiation.</P> Fri, 07 Aug 2020 11:05:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-keepalive-tuning/m-p/342647#M85854 nikoo 2020-08-07T11:05:56Z https://live.paloaltonetworks.com/t5/general-topics/ikev2-keepalive-tuning/m-p/342674#M85856 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42773">@nikoo</a>,</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42773">@nikoo</a>&nbsp;wrote: <P>Basically, what are your options to detect the IPSec tunnel peer down condition and act as soon as possible, meaning, tear down the tunnel and start re-negotiation.</P> <HR /></BLOCKQUOTE> <P>Scripting and the API.&nbsp;<BR /><BR /></P> <P>The best way that I've found to deal with something like this is having something on each end (can be as dumb as a raspberry pi) which is simply performing a basic ICMP check via a scheduled script. If the script notices a tunnel is down, then it goes out and clears the connection and starts a test to bring things back online and make it functional in the shortest timeframe possible.</P> <P>The benefit of this type of solution is that the ICMP check itself in a lot of cases will cause enough traffic to keep all of the tunnels online baring an actual connectivity issue.&nbsp;</P> Fri, 07 Aug 2020 12:46:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ikev2-keepalive-tuning/m-p/342674#M85856 BPry 2020-08-07T12:46:41Z