Disable an IPSec Tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disable an IPSec Tunnel

Not applicable

I want to disable an IPSec VPN. I have currently blocked traffic both directions to the tunnel by using a Security Policies, but there should be a way to disable the tunnel in the IPSec configuration (or alternatively, disable the tunnel interface). I don't want to delete it, but I don't want it taking up processor speed for a tunnel that I don't want turned on.

5 REPLIES 5

L7 Applicator

Currently, there isn't a nice "disable" button for IPSec Tunnel Configuration - but I do see the value in being able to disable tunnels at-will.  For this case, I have created an "IKE Gateway" called "disabled" and populated it with bogus information.  Then, when I need to disable a tunnel, I go change the IKE Gateway to "disabled" and commit.  It has the same effect - and I've deleted nothing. 

Hope that helps.

That is a possible workaround, but it will still try to connect, using CPU and continuous log messages.

Agreed - it's a workaround - not a complete solution.

Ultimately, if you want a "disable" button in the IPSec configuration, you'll need to file a Feature Request with your local Palo Alto Networks sales engineer. 

Not applicable

Actually, this might cause alarms on the opposing firewall, which I don't want, so maybe a security block is a better solution anyways.

L1 Bithead

I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy.

I also noticed that the link status never even updated when the link went down, which is concerning.

  • 6900 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!