This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AWS S2S VPNs not re-establishing?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AWS S2S VPNs not re-establishing?

drewdown
L4 Transporter

‎07-12-2021 09:16 AM - edited ‎07-12-2021 11:07 AM

Having issues with a fair amount of AWS VPN tunnels that will go down due to path or ISP issues but they don't come back up unless I manually bounce them on the PAN side.  Configuration is standard with DPD set to 10/2 and using PBF monitoring the far ends of the tunnels.   So I will see the tunnels go down and they show down in AWS but they DO NOT come back up until I manually bounce them from the IPSec Tunnels page.  

 

Has anyone seen this before?  I am seeing this across 2 separate PANs (1 x HA, 1 standalone) to separate AWS accounts/regions but the problem seems to be consistent and not sure why.  

 

Note I am not using 'Tunnel Monitor' on the IPSec Tunnels but I am on the PBF rules, could that be the problem?  Meaning I should be using TM on one or the other but not both?  Someone show me the way.  

0 Likes Likes
1 REPLY 1

NathanielM
L1 Bithead

‎08-03-2022 02:15 AM

Not sure if you found a solution to this...

 

As stated here in the KB article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0

My interpretation of reading that means if the tunnel goes down (or presumably being initially set up) it will only be negotiated by interesting traffic, so you have several options to keep that interesting traffic:

 

  1. Tunnel monitor using your tunnel interface, the route to the peer will be via the tunnel hence it is interesting traffic.
    1. On a side note i'd use "path monitoring" instead of PBF if you have two static routes to the same destination. E.g. 10.1.0.0/24 via tunnel 1, 10.1.0.0/24 via tunnel 2. Just put the prefferred metric on 10 and the other 20 and be sure to path monitor on both routes.
  2. If you have a monitoring tool such as Solarwinds ping something on the remote end, even if it is just to a dummy host.
  3. Set up a lambda function to be triggered when the tunnel is down. It will then run the "test" commands on the PA:
    1. test vpn ike-sa gateway <gateway_name>
    2. test vpn ipsec-sa tunnel <tunnel_name>

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/test-vpn-con...

0 Likes Likes
  • 2187 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks