AWS IPSec VPN Issue while migrating from PA-5020(HA-8.1.15-h3) to PA-5220(HA-8.1.15-h3) Firewalls

Reply
Highlighted
L1 Bithead

AWS IPSec VPN Issue while migrating from PA-5020(HA-8.1.15-h3) to PA-5220(HA-8.1.15-h3) Firewalls

Hello Everyone,
I have an issue while migrating from PA-5020(HA - 8.1.15-h3) to PA-5220( HA - 8.1.15-h3) Firewalls.

 

1) did .xml running config  file export from 5020 and import into the 5220, but got an error  message while commit. Involved PA TAC engineer and SE, could not be able to resolve this issue, just they said its a panos bug, upgrade higher version PANOS, and  they need some time to do research but we were time sensitive in our environment and some objects are control from panorama.

 

2) Decided and made a replica of the  config from the CLI.


On maintenance day,  Unplugged cables from 5020 and plugged into the 5220. Everything works as expected but 60% of IPSec VPN tunnels to AWS didn't come up. It took a few minutes to come up ( Some VPN tunnels to AWS came up within 2 minutes , some came up after 20 minutes or so ..). After trying to disable/enable, refreshing  tunnels, checking IKE phase1, phase2 parameters etc, still had same issue.  Later we rolled back to 5020.
Does anyone have the same issue ?  is there any suggestions for this ? Why do IPSec VPN tunnels to AWS take such a longer time or didn't come up at all? it's only an issue with AWS cloud not with others. example azure.

Highlighted
Cyber Elite

@Tthapa,

Which side of your tunnel is actually active, the PA-5220 or the AWS side? It sounds honestly like the AWS end wasn't trying to refresh and didn't clear the tunnel and re-establish. 

Highlighted
L1 Bithead

AWS side.

do you have any suggestion for this ?

Highlighted
Cyber Elite

@Tthapa,

Do you have DPD setup on the AWS side of things so that it actually clears the tunnel and attempt to negotiate the connection again? Did you manually clear the tunnel on the AWS side and attempt to bring it back online from that end? I would look at the logs on the PA-5220 and see if you at least see the AWS side attempting to bring up the tunnel when you can switched them out, but my guess would be that you don't and that the logs aren't going to show you any traffic. 

Highlighted
L1 Bithead

Thanks @BPry .

Actually AWS side managed by Cloud-ops team. I will work with them. I really appreciate your prompt reply with all these suggestions.

Highlighted
Cyber Elite

Hello,

When our tunnels go down, from the logs on our PAN, its always the AWS side. 

 

Regards,

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!