- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-19-2020 10:33 AM
Hello Everyone,
I have an issue while migrating from PA-5020(HA - 8.1.15-h3) to PA-5220( HA - 8.1.15-h3) Firewalls.
1) did .xml running config file export from 5020 and import into the 5220, but got an error message while commit. Involved PA TAC engineer and SE, could not be able to resolve this issue, just they said its a panos bug, upgrade higher version PANOS, and they need some time to do research but we were time sensitive in our environment and some objects are control from panorama.
2) Decided and made a replica of the config from the CLI.
On maintenance day, Unplugged cables from 5020 and plugged into the 5220. Everything works as expected but 60% of IPSec VPN tunnels to AWS didn't come up. It took a few minutes to come up ( Some VPN tunnels to AWS came up within 2 minutes , some came up after 20 minutes or so ..). After trying to disable/enable, refreshing tunnels, checking IKE phase1, phase2 parameters etc, still had same issue. Later we rolled back to 5020.
Does anyone have the same issue ? is there any suggestions for this ? Why do IPSec VPN tunnels to AWS take such a longer time or didn't come up at all? it's only an issue with AWS cloud not with others. example azure.
11-19-2020 11:10 AM
Which side of your tunnel is actually active, the PA-5220 or the AWS side? It sounds honestly like the AWS end wasn't trying to refresh and didn't clear the tunnel and re-establish.
11-19-2020 11:34 AM
AWS side.
do you have any suggestion for this ?
11-19-2020 08:48 PM
Do you have DPD setup on the AWS side of things so that it actually clears the tunnel and attempt to negotiate the connection again? Did you manually clear the tunnel on the AWS side and attempt to bring it back online from that end? I would look at the logs on the PA-5220 and see if you at least see the AWS side attempting to bring up the tunnel when you can switched them out, but my guess would be that you don't and that the logs aren't going to show you any traffic.
11-20-2020 11:16 AM
Thanks @BPry .
Actually AWS side managed by Cloud-ops team. I will work with them. I really appreciate your prompt reply with all these suggestions.
11-20-2020 12:29 PM
Hello,
When our tunnels go down, from the logs on our PAN, its always the AWS side.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!