07-28-2022 01:31 AM
This is a slightly confusing issue that I am facing so please bare with me with regards to the explanation.
We have a PA-5220 configured with multiple IPSec Tunnels connecting to community sites, the community sites have either a PA-220 or PA-440 on the other end. Recently when setting up a new IPSec Tunnel (Southmead_Health) we noticed one of the community sites go down (BEH_Lorry). When checking the monitor it appears that the negotiation process is displaying the Southmead_Health object for the ike start and then the BEH_Lorry for all further steps as below:
The BEH_Lorry Tunnel completes and comes up as expected but we are really confused as to why the process is picking up the wrong object during the tunnel negotiation. Any advice on what to look at would be appreciated. We have 20+ tunnels configured and have never come across something like this before.
08-04-2022 03:09 AM
do all remote sites have a static IP/unique IP and are they configured as such (static remote IP)
if you're using 'dynamic' this could be the cause of this issue, you can remediate this by setting peer identification in the tunnel configuration so the dynamic peers identify themselves with a unique attribute (fqdn, email,....)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
