https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373715#M88951 <P>I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:</P><P>&nbsp;</P><P>PAN IPSec IKEv1 &lt;&lt;----&gt;&gt; Cisco R2 IKEv1</P><P>PAN IPSec IKEv2 &lt;&lt;----&gt;&gt; Cisco R1 IKEv2</P><P>&nbsp;</P><P>I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router.&nbsp; On the Dead Peer interval and retry, i set it to 5 and 5, respectively.&nbsp; On the Cisco router R2, I set "set crypto isakmp keepalive 10".&nbsp; On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5.&nbsp; I also set "crypto isakmp keepalive 10" on the R2 cisco router.</P><P>&nbsp;</P><P>Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected.&nbsp; However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable.</P><P>&nbsp;</P><P>Is that expected?&nbsp; If not, is this another bug in PAN? &nbsp; I am running 8.1.15 hotfix 3.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Dec 2020 00:44:09 GMT dtran 2020-12-11T00:44:09Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373715#M88951 <P>I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:</P><P>&nbsp;</P><P>PAN IPSec IKEv1 &lt;&lt;----&gt;&gt; Cisco R2 IKEv1</P><P>PAN IPSec IKEv2 &lt;&lt;----&gt;&gt; Cisco R1 IKEv2</P><P>&nbsp;</P><P>I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router.&nbsp; On the Dead Peer interval and retry, i set it to 5 and 5, respectively.&nbsp; On the Cisco router R2, I set "set crypto isakmp keepalive 10".&nbsp; On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5.&nbsp; I also set "crypto isakmp keepalive 10" on the R2 cisco router.</P><P>&nbsp;</P><P>Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected.&nbsp; However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable.</P><P>&nbsp;</P><P>Is that expected?&nbsp; If not, is this another bug in PAN? &nbsp; I am running 8.1.15 hotfix 3.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Dec 2020 00:44:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373715#M88951 dtran 2020-12-11T00:44:09Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373739#M88955 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a>,</P> <P>DPD on the PAN side isn't persistent and is only triggered by a phase 2 rekey; as long as phase 2 is up, the PAN won't check to see if IKE-SA is active. If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring.&nbsp;</P> Fri, 11 Dec 2020 03:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373739#M88955 BPry 2020-12-11T03:21:32Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373854#M88968 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>:&nbsp; "If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring. "</P><P>&nbsp;</P><P>PAN VPN Peer is 1.1.1.1 and Cisco VPN Peer is 2.2.2.2</P><P>PAN Encryption Domain is 192.168.1.1 and Cisco VPN Encryption Domain is 192.168.2.</P><DIV><DIV>&nbsp;</DIV><DIV><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html</A></DIV><DIV>&nbsp;</DIV><DIV>What IP address do I put in the box?</DIV></DIV><P>&nbsp;</P> Fri, 11 Dec 2020 12:43:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-and-dead-peer-detection-dpd-in-ikev1-and-liveness/m-p/373854#M88968 dtran 2020-12-11T12:43:21Z