cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Disable an IPSec Tunnel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
blandis
Not applicable
‎04-25-2014 07:23 AM
‎04-25-2014 07:23 AM

Disable an IPSec Tunnel

I want to disable an IPSec VPN. I have currently blocked traffic both directions to the tunnel by using a Security Policies, but there should be a way to disable the tunnel in the IPSec configuration (or alternatively, disable the tunnel interface). I don't want to delete it, but I don't want it taking up processor speed for a tunnel that I don't want turned on.

Labels:
0 Likes
Reply
jvalentine
L7 Applicator
‎04-25-2014 07:41 AM
‎04-25-2014 07:41 AM

Currently, there isn't a nice "disable" button for IPSec Tunnel Configuration - but I do see the value in being able to disable tunnels at-will.  For this case, I have created an "IKE Gateway" called "disabled" and populated it with bogus information.  Then, when I need to disable a tunnel, I go change the IKE Gateway to "disabled" and commit.  It has the same effect - and I've deleted nothing. 

Hope that helps.

Reply
blandis
Not applicable
‎04-25-2014 07:44 AM
‎04-25-2014 07:44 AM

That is a possible workaround, but it will still try to connect, using CPU and continuous log messages.

0 Likes
Reply
jvalentine
L7 Applicator
‎04-25-2014 07:55 AM
‎04-25-2014 07:55 AM

Agreed - it's a workaround - not a complete solution.

Ultimately, if you want a "disable" button in the IPSec configuration, you'll need to file a Feature Request with your local Palo Alto Networks sales engineer. 

Reply
blandis
Not applicable
‎04-25-2014 08:26 AM
‎04-25-2014 08:26 AM

Actually, this might cause alarms on the opposing firewall, which I don't want, so maybe a security block is a better solution anyways.

0 Likes
Reply
carpediem79
L1 Bithead
‎04-25-2014 09:08 AM
‎04-25-2014 09:08 AM

I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy.

I also noticed that the link status never even updated when the link went down, which is concerning.

Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks