topic Re: Problems with IPSec tunnel in General Topics

Problems with IPSec tunnel

clonesheep — Mon, 12 Oct 2020 13:10:45 GMT

Hello,
I have a PA VM100 which hangs behind a dynamic public IP and it creates an IPSec tunnel to a PA220 with static public IP. So the tunnel can only be established by the VM100. On the PA220 I have activated "Enable Passive Mode" at IKE Gateway -> advanced Options. DPD Interval 5 and Retry 5.
I also set up a tunnel monitor and gave the tunnel interfaces IPs. As tunnel monitor profile I chose default (wait recover - interval 3sek - threshold 5).

Unfortunately the internet connection is not the best and there are always disconnections (more then 10 on a day). Sometimes the tunnel will rebuild itself, sometimes you have to take action yourself. Then you can see that on the pa220 under session there is still the session ipsec 4500. You can also see that the tunnel ipsec is still green but ike already red.

What can I do to ensure that the tunnel rebuilds as quickly as possible in the event of a failure?

Re: Problems with IPSec tunnel

reaper — Tue, 13 Oct 2020 14:40:44 GMT

set the tunnel monitor from wait-recover to fail over so the tunnel gets torn down once the monitor fails

Re: Problems with IPSec tunnel

OtakarKlier — Tue, 13 Oct 2020 16:45:34 GMT

Hello,

You might want to try a DDNS, dynamic domain name ssytem, solution? This way the VM PAN will register istes automatically and then the PA-220 can just have a DNS name as its peer.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-dynamic-dns-for-firewall-interfaces

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/dynamic-dns-nfg

Just a thought.