PA-200 Cable modem VPN sites needing a power cycle to restore connectivity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-200 Cable modem VPN sites needing a power cycle to restore connectivity

L1 Bithead

I have multiple remote sites that connect back to a main site through PA-200's, using Charter Communications cable modems.  At various times the PA's stop forwarding traffic.  I can no longer reach the PA's and I have setup management on the outside ip addresses.  The only way to recover from this is to have someone at the remote site power cycle the PA's.  Has anyone else run into this issue?  We have a around 30 sites and it is very random.  It almost as if the PA doesn't recover for something going on with the cable modem and just gives up.  I have had Cisco 5505 ASA's prior to the PA's and never had this issue.  

 

 

I have worked with PA support, see this thread for some background.

 

https://live.paloaltonetworks.com/t5/General-Topics/Multiple-PA-200-Firewall-s-lock-up-and-require-a...

3 REPLIES 3

Cyber Elite
Cyber Elite

It would be interesting to see what your actual cable modem configuration looks like, for example is the device in pass-through mode, DHCP or Static Address, ect. I also didn't see it mentioned anywhere if you are running a split-tunnel or if everything is going through the tunnel. 

One of the things that I would look at is if the show vpn ike-sa gateway <value> or the show vpn ipsec-sa tunnel <value> still shows the connections as active? I'll also pull a Cisco and ask why they are still running  6.1.3, it might be worth upgrading one of them that does this more often to the latest 6.1.*, or 7.0.*, or even 7.1.* if you like to live dangerously. 

The cable modems are setup statically.  No split tunneling used, everything is going over the vpn tunnel.  I have upgraded a few to the latest code but still having the same issues.

 

 

Thanks

In that case I would be intereseted in seeing the response of those two commands that I sent previously. If the firewall that all of these are routed back to is holding onto the old VPN credentials it wouldn't allow the remote firewall to "connect" again because it already is. This would also throw off the routing table which would explain why you can't get to the outside interface for management, with the traffic not being split-tunneled then it would also explain why all the traffic is halting. 

 

It might help to throw a few of these as a split-tunnel and see if the issue persists, and if it does do they just lose access to internal (VPN Source) resources or does the internet connection drop as a whole. 

  • 2506 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!