I had one of our remote sites go offline two days ago due to an ISP outage. However, the site to site link showed as up for several hours before it finally dropped and showed as offline. IS there a setting to have this respond faster so it shows offline within minutes? Or is this working as designed?
Solved! Go to Solution.
Were the colours of the VPN, green and red, even with multiple page refreshes? The screenshot below shows the status of the IKE and the IPSEC. The first one on the left, shows the status of IPSEC-ESP and the one on the right, shows the status of the IKE.
Again that depends on how long the outage was. All though the Lifetime of IPSEC-ESP and IKE can be ( like by default ) 1 hour and 8 hours respectively, the session timeout values for IPSEC-ESP and IKE are 3600 secs and 30 secs respectively. Lifetime determines the amount of time that the parties have to wait before they rekey again. Once a VPN is up, the firewall maintains sessions for IKE and IPSEC-ESP. If the firewall doesn't receive packets within the session timeout values, it discards the session. That being the case, had there been an outage, the session for IPSEC-ESP would still remain active for a longer duration than the IKE session ( When there is an ISP outage, no ESP or IKE packets would reach either firewall).
Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI.
Hope that helps!
All 3 status lights were green even after multiple refreshes. This was 3 hours after the outage occurred.
"Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI."
I do not accept that as a proper method of knowing what is going on. If they have status indicators on the web gui, then they should do what is expected of them and properly indicate the status. If it requires some config changes to make it work better, that is fine, but the PA appliance should be able to provide us with adequate monitoring information.
Do you mean that the outage was for 3 hours, and yet the status lights were green during these 3 hours? We dont have any other extra configuration for the WEB GUI to reflect the correct status. In all my prior experience, I have seen the appropriate status show up whenever the tunnel went down ( even with both automatic and manual page refreshes, and on the cli ). The next time you encounter this issue, please raise a ticket with the TAC.
Could you please try with tunnel monitoring to bring the tunnel down, while there will be an outage from ISP.
Also refer below mentioned knowledge base article for more information:
Did the system logs show that the VPN was down? If so, I think its then a GUI issue. What is the PANOS version that the box is running on?
Tunnel monitoring sounds like it may do the trick. I am guessing that uses ping to verify the connection is up and then shows status as down once it fails to receive a response for the allotted time?
If so, that is something I will test during one of our upcoming maintenance windows.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!