Disable a tunneling interface ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disable a tunneling interface ?

L1 Bithead

Hi all,

Is there a CLI command to disable (shutdown) a tunnel interface on a PAN firewall ?

Thank you

Regards

1 accepted solution

Accepted Solutions

L3 Networker

there is currently no command to disable a tunnel interface.

View solution in original post

13 REPLIES 13

L3 Networker

there is currently no command to disable a tunnel interface.

Is there one now Smiley Happy

If not, I have a work-around. Will post next as attachment.

WTF a cliffhanger? 😃

Patience, Daniel-san...

Retired Member
Not applicable

Curious why you want to shutdown a tunnel interface. This is a logical interface and not really tied to a physical interface as such. What are you trying to accomplish by shutting down tunnel interface?

Having said that, you can enable tunnel monitoring as that can basically disable the tunnel interface if the VPN is down to influence routing protocols. Is that what you are trying to do?

-Richard

Many reasons, but I'll give the two, which I'm using it for right now.  First, is a VPN between client(s) and myself.  I don't want to leave it up at all times, just bring it up when needed.  This will relieve routing conflicts between overlapping schemes among different clients and myself.  Second, we moved from an old VPN between a Cisco (remote device) on one side and PA on the other to a complete Palo Alto solution.  I want to avoid any chance of traffic routing over the old VPN and the only way to ensure this is to disable it, but PA doesn't allow an admin down state like Cisco does, BTW, why is that?  SOP to leave the old infra in place until the new is proven good and stable.  If a problem arises, simply fall back to the old VPN. 

::crickets::

I guess you would just bitchslap me if I returned your "Patience, Daniel-san..."? 😉

LOL!  two-shay...  Then I would say, damn you guys are slow... ha

Not applicable

Hi,

This is a rather old thread, but did someone find a way to get this done?

I was thinking of doing a shutdown of the tunnel interface or to the tunnel but couldn't find a way to do it.

My workaround is the following:Block all IPSEC traffic to/from the termination point

It is not nice, but it works

Since I didn't see anyone providing a solution i just chose "disable" for each tunnel in the GUI and then did a commit.

 

The 3 tunnels went RED for status but IKE is still green which makes no sense.

It seems there should be a simple CLI command like "test vpn tunnel tunnelname" (stop/start disable/enable) to do this easily but nobody suggested one so i assume one does not exist.

 

I have 2 customers we have stopped supporting so I wanted to disable the tunnels. 

If they resume support/buy new products then I will just enable it instead of going through the whole tunnel building process.

Winner Winner Chicken Dinner!

  • 1 accepted solution
  • 9088 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!