This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ikev2 site to site VPN between Arista ETM and Palo Alto

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ikev2 site to site VPN between Arista ETM and Palo Alto

msdphi
L1 Bithead

‎02-14-2025 09:35 AM - edited ‎02-17-2025 05:53 AM

Hello Mams and Sirs,

 

I need your advice here.

 

I have configured an ikev2 policy based site to site VPN between our Palo Alto and client Arista ETM. I manage the Palo Alto.

 

The status of the VPN shows up. But, communication between the subnets(local and remote) stop abruptly until, I generate some traffic by pinging each of their VLANs/subnets from our server.

 

All the parameters look correct on both sides.

 

What I observed is that continuous pings from the Palo Alto side keep the communication up.

Is this a normal behaviour or does any change have to be made on either device? Please help.

0 Likes Likes
4 REPLIES 4

kiwi
Community Team Member

‎02-17-2025 08:47 AM

Hi @msdphi ,

 

Yes, IPSec tunnel comes up only when there is an interesting traffic destined to the tunnel. 

Check the bullet "Interesting Traffic or On-Demand" on this page which explains:

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/ipsec-vpn-basics/ipsec-v...

 

To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the firewall:

https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-tunnel-monitoring

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

msdphi
L1 Bithead

‎02-17-2025 10:51 AM

Thank you, Kim.

 

I already have liveliness check enabled and tunnel monitoring won't be possible. Because the client has multiple VLANs. But, configure multiple monitoring IP address is not possible.

 

I may be wrong. Please advise.

0 Likes Likes

kiwi
Community Team Member

‎02-18-2025 01:10 AM

Hi @msdphi ,

 

Correct, tunnel monitoring only allows you to monitor one IP.

Why would you monitor more ? For Tunnel monitoring you usually monitor an IP closest to the tunnel IP.

 

If you want to check on different VLANs being available I think you should look into path monitoring instead.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

msdphi
L1 Bithead
In response to kiwi

‎02-18-2025 02:01 AM

Why would you monitor more ? For Tunnel monitoring you usually monitor an IP closest to the tunnel IP--- so, the problem is that unless I keep continuous pings going to each of their LAN gateways, the communication stops, though the vpn shows as up. But that's not a good solution. I thought we might phase 2 parameters  there 

 

 

If you want to check on different VLANs being available I think you should look into path monitoring instead.--- okay will check .. 

0 Likes Likes
  • 447 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks