Disable an IPSec Tunnel

Reply
Not applicable

Disable an IPSec Tunnel

I want to disable an IPSec VPN. I have currently blocked traffic both directions to the tunnel by using a Security Policies, but there should be a way to disable the tunnel in the IPSec configuration (or alternatively, disable the tunnel interface). I don't want to delete it, but I don't want it taking up processor speed for a tunnel that I don't want turned on.

L7 Applicator

Re: Disable an IPSec Tunnel

Currently, there isn't a nice "disable" button for IPSec Tunnel Configuration - but I do see the value in being able to disable tunnels at-will.  For this case, I have created an "IKE Gateway" called "disabled" and populated it with bogus information.  Then, when I need to disable a tunnel, I go change the IKE Gateway to "disabled" and commit.  It has the same effect - and I've deleted nothing. 

Hope that helps.

Not applicable

Re: Disable an IPSec Tunnel

That is a possible workaround, but it will still try to connect, using CPU and continuous log messages.

L7 Applicator

Re: Disable an IPSec Tunnel

Agreed - it's a workaround - not a complete solution.

Ultimately, if you want a "disable" button in the IPSec configuration, you'll need to file a Feature Request with your local Palo Alto Networks sales engineer. 

Not applicable

Re: Disable an IPSec Tunnel

Actually, this might cause alarms on the opposing firewall, which I don't want, so maybe a security block is a better solution anyways.

Highlighted
L1 Bithead

Re: Disable an IPSec Tunnel

I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy.

I also noticed that the link status never even updated when the link went down, which is concerning.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!