https://live.paloaltonetworks.com/t5/general-topics/aws-s2s-vpns-not-re-establishing/m-p/418578#M93685 <P>Having issues with a fair amount of AWS VPN tunnels that will go down due to path or ISP issues but they don't come back up unless I manually bounce them on the PAN side.&nbsp; Configuration is standard with DPD set to 10/2 and using PBF monitoring the far ends of the tunnels.&nbsp; &nbsp;So I will see the tunnels go down and they show down in AWS but they DO NOT come back up until I manually bounce them from the IPSec Tunnels page.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Has anyone seen this before?&nbsp; I am seeing this across 2 separate PANs (1 x HA, 1 standalone) to separate AWS accounts/regions but the problem seems to be consistent and not sure why.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Note I am not using 'Tunnel Monitor' on the IPSec Tunnels but I am on the PBF rules, could that be the problem?&nbsp; Meaning I should be using TM on one or the other but not both?&nbsp; Someone show me the way.&nbsp;&nbsp;</P> Mon, 12 Jul 2021 18:07:35 GMT drewdown 2021-07-12T18:07:35Z https://live.paloaltonetworks.com/t5/general-topics/aws-s2s-vpns-not-re-establishing/m-p/418578#M93685 <P>Having issues with a fair amount of AWS VPN tunnels that will go down due to path or ISP issues but they don't come back up unless I manually bounce them on the PAN side.&nbsp; Configuration is standard with DPD set to 10/2 and using PBF monitoring the far ends of the tunnels.&nbsp; &nbsp;So I will see the tunnels go down and they show down in AWS but they DO NOT come back up until I manually bounce them from the IPSec Tunnels page.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Has anyone seen this before?&nbsp; I am seeing this across 2 separate PANs (1 x HA, 1 standalone) to separate AWS accounts/regions but the problem seems to be consistent and not sure why.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Note I am not using 'Tunnel Monitor' on the IPSec Tunnels but I am on the PBF rules, could that be the problem?&nbsp; Meaning I should be using TM on one or the other but not both?&nbsp; Someone show me the way.&nbsp;&nbsp;</P> Mon, 12 Jul 2021 18:07:35 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-s2s-vpns-not-re-establishing/m-p/418578#M93685 drewdown 2021-07-12T18:07:35Z https://live.paloaltonetworks.com/t5/general-topics/aws-s2s-vpns-not-re-establishing/m-p/510676#M106244 <P>Not sure if you found a solution to this...</P> <P>&nbsp;</P> <P>As stated here in the KB article:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0</A></P> <P>My interpretation of reading that means if the tunnel goes down (or presumably being initially set up) it will only be negotiated by interesting traffic, so you have several options to keep that interesting traffic:</P> <P>&nbsp;</P> <OL> <LI>Tunnel monitor using your tunnel interface, the route to the peer will be via the tunnel hence it is interesting traffic. <OL> <LI>On a side note i'd use "path monitoring" instead of PBF if you have two static routes to the same destination. E.g. 10.1.0.0/24 via tunnel 1, 10.1.0.0/24 via tunnel 2. Just put the prefferred metric on 10 and the other 20 and be sure to path monitor on both routes.</LI> </OL> </LI> <LI>If you have a monitoring tool such as Solarwinds ping something on the remote end, even if it is just to a dummy host.</LI> <LI>Set up a lambda function to be triggered when the tunnel is down. It will then run the "test" commands on the PA: <OL> <LI><FONT face="courier new,courier">test vpn ike-sa gateway &lt;gateway_name&gt;</FONT></LI> <LI><FONT face="courier new,courier">test vpn ipsec-sa tunnel &lt;tunnel_name&gt;</FONT></LI> </OL> </LI> </OL> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/test-vpn-connectivity" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/test-vpn-connectivity</A></P> Wed, 03 Aug 2022 09:15:44 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-s2s-vpns-not-re-establishing/m-p/510676#M106244 NathanielM 2022-08-03T09:15:44Z