Dual ISP IPSEC vpn tunnel monitor drops the connection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual ISP IPSEC vpn tunnel monitor drops the connection

L3 Networker

Hi all,

 

I added second ISP to firewall and created ECMP for dual ISP followed those guides:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-...

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

when I'm trying to configure tunnel monitoring on the IPSEC tunnels (after I configure tunnel interface IPv4 from local network subnet) the connection drops and cann't connect again.

Only after I disable the tunnel monitoring settings the vpn connection comes up again.

 

anyone has suggestions what to do or what to check for it.

 

Thank you all.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

@SShnap,

What version of PAN-OS are you running? 

@BPry

 

I'm running PAVM200 with PANOS 8.0.0

 

 

- You shouldn't be using 8.0.0 anymore by far; update PAN-OS to something like 8.0.10 so you get the security fixes and all of the associated fixes, base images are not production ready. 

- Depending on what you have specified in the tunnel monitoring profile this would be an expected action. When used in conjunction with DPD the montioring profile only has two options wait recover or fail over. In either case the firewall will attempt to recover by negotiating new IPSec keys. When certain peer devices see this action they will sometimes close the connection on their end depending on the configuration. 

 

I would start by simply upgrading the PAN-OS version, because you shouldn't be running 8.0.0 anymore. That likely won't fix it, but it's better for your device as a whole. Since you are only running into an issue with the tunnel montioring profile active verify what the monitoring profile actually has set for the action. It could easily be that the peer device simply is dropping the connection when the PA attempts to re-key.

  • 2674 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!