Layer 3 Stops Passing - All PanOS versions incl. 6.1.3

Reply
L1 Bithead

Re: Layer 3 Stops Passing - All PanOS versions incl. 6.1.3

One thing I went through as related, make sure you do not have any management services open to the open internet without a management ACL.  I had a problem initially where leaving it wide open, there were issues with the root filling up with failure logs etc.  I had to have PAN TAC log in and clear it.  Once I closed it down so I could only access directly from my datacenter's public IP's, we have not had another issue with resources. 

L3 Networker

Re: Layer 3 Stops Passing - All PanOS versions incl. 6.1.3

Great. Thank you, I really appreciate it.

L1 Bithead

Re: Layer 3 Stops Passing - All PanOS versions incl. 6.1.3

Also to note there is a known bug with LSVPN where you can get a 'dataplane tunnel install error' which requires a total reboot of the PA-200.  The bug is 78613 and it will be fixed in the new OS version 7.0.0 released sometime in May.  I have only had one site out of my 50+ have this issue since starting on 6.1.3 code about 2-3 weeks ago.  Luckily it is not a complete dataplane lockup like I have had on previous versions and I could easily pop a reboot on this one. 

Highlighted
L1 Bithead

Re: Layer 3 Stops Passing - All PanOS versions incl. 6.1.3

Continuing to have issues with Large-Scale VPN on 6.1.4 with 65 PA-200 satellite sites.  It will sit on reconnecting until I manually reconnect the site several times a week.

Sometimes the satellite will also lose the seed route until I pop the VPN manually, either that or the gateway will lose the route to the satellite.  I either reset the tunnel on the gateway or the satellite seems to bring it back up.  So the result is the tunnel monitor route will connect correctly so the site is maybe pingable so your monitoring will say it's up but your users will report no connectivity. 

LSVPN is supposed to be less hassle than manually setting all VPN tunnels but it just is not stable and reliable at all.  It seems to be getting a little better each release but still I get woken up almost every night with a site offline.  If somebody would guarantee 7.0.0 would fix things I would consider moving to it but I would bet it introduces more unreliability than improvements.  About half my tickets go unresolved and TAC has no idea why these things are happening.  We paid 50 grand for the Global-Protect licensing of which we do not use for remote access because JunOS Pulse is solid, only for LSVPN.  I feel like we are the only company using LSVPN, or the only one voicing the instability. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!