AWS S2S VPNs not re-establishing?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AWS S2S VPNs not re-establishing?

L4 Transporter

Having issues with a fair amount of AWS VPN tunnels that will go down due to path or ISP issues but they don't come back up unless I manually bounce them on the PAN side.  Configuration is standard with DPD set to 10/2 and using PBF monitoring the far ends of the tunnels.   So I will see the tunnels go down and they show down in AWS but they DO NOT come back up until I manually bounce them from the IPSec Tunnels page.  

 

Has anyone seen this before?  I am seeing this across 2 separate PANs (1 x HA, 1 standalone) to separate AWS accounts/regions but the problem seems to be consistent and not sure why.  

 

Note I am not using 'Tunnel Monitor' on the IPSec Tunnels but I am on the PBF rules, could that be the problem?  Meaning I should be using TM on one or the other but not both?  Someone show me the way.  

1 REPLY 1

L1 Bithead

Not sure if you found a solution to this...

 

As stated here in the KB article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0

My interpretation of reading that means if the tunnel goes down (or presumably being initially set up) it will only be negotiated by interesting traffic, so you have several options to keep that interesting traffic:

 

  1. Tunnel monitor using your tunnel interface, the route to the peer will be via the tunnel hence it is interesting traffic.
    1. On a side note i'd use "path monitoring" instead of PBF if you have two static routes to the same destination. E.g. 10.1.0.0/24 via tunnel 1, 10.1.0.0/24 via tunnel 2. Just put the prefferred metric on 10 and the other 20 and be sure to path monitor on both routes.
  2. If you have a monitoring tool such as Solarwinds ping something on the remote end, even if it is just to a dummy host.
  3. Set up a lambda function to be triggered when the tunnel is down. It will then run the "test" commands on the PA:
    1. test vpn ike-sa gateway <gateway_name>
    2. test vpn ipsec-sa tunnel <tunnel_name>

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/test-vpn-con...

  • 2193 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!