Dual ISP IPSEC vpn tunnel monitor drops the connection

Reply
L3 Networker

Dual ISP IPSEC vpn tunnel monitor drops the connection

Hi all,

 

I added second ISP to firewall and created ECMP for dual ISP followed those guides:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-...

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

when I'm trying to configure tunnel monitoring on the IPSEC tunnels (after I configure tunnel interface IPv4 from local network subnet) the connection drops and cann't connect again.

Only after I disable the tunnel monitoring settings the vpn connection comes up again.

 

anyone has suggestions what to do or what to check for it.

 

Thank you all.

 

L7 Applicator

Re: Dual ISP IPSEC vpn tunnel monitor drops the connection

@SShnap,

What version of PAN-OS are you running? 

L3 Networker

Re: Dual ISP IPSEC vpn tunnel monitor drops the connection

@BPry

 

I'm running PAVM200 with PANOS 8.0.0

 

 

L7 Applicator

Re: Dual ISP IPSEC vpn tunnel monitor drops the connection

- You shouldn't be using 8.0.0 anymore by far; update PAN-OS to something like 8.0.10 so you get the security fixes and all of the associated fixes, base images are not production ready. 

- Depending on what you have specified in the tunnel monitoring profile this would be an expected action. When used in conjunction with DPD the montioring profile only has two options wait recover or fail over. In either case the firewall will attempt to recover by negotiating new IPSec keys. When certain peer devices see this action they will sometimes close the connection on their end depending on the configuration. 

 

I would start by simply upgrading the PAN-OS version, because you shouldn't be running 8.0.0 anymore. That likely won't fix it, but it's better for your device as a whole. Since you are only running into an issue with the tunnel montioring profile active verify what the monitoring profile actually has set for the action. It could easily be that the peer device simply is dropping the connection when the PA attempts to re-key.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!