I have an issue while migrating from PA-5020(HA - 8.1.15-h3) to PA-5220( HA - 8.1.15-h3) Firewalls.
1) did .xml running config file export from 5020 and import into the 5220, but got an error message while commit. Involved PA TAC engineer and SE, could not be able to resolve this issue, just they said its a panos bug, upgrade higher version PANOS, and they need some time to do research but we were time sensitive in our environment and some objects are control from panorama.
2) Decided and made a replica of the config from the CLI.
On maintenance day, Unplugged cables from 5020 and plugged into the 5220. Everything works as expected but 60% of IPSec VPN tunnels to AWS didn't come up. It took a few minutes to come up ( Some VPN tunnels to AWS came up within 2 minutes , some came up after 20 minutes or so ..). After trying to disable/enable, refreshing tunnels, checking IKE phase1, phase2 parameters etc, still had same issue. Later we rolled back to 5020.
Does anyone have the same issue ? is there any suggestions for this ? Why do IPSec VPN tunnels to AWS take such a longer time or didn't come up at all? it's only an issue with AWS cloud not with others. example azure.
Do you have DPD setup on the AWS side of things so that it actually clears the tunnel and attempt to negotiate the connection again? Did you manually clear the tunnel on the AWS side and attempt to bring it back online from that end? I would look at the logs on the PA-5220 and see if you at least see the AWS side attempting to bring up the tunnel when you can switched them out, but my guess would be that you don't and that the logs aren't going to show you any traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!