11-27-2018 04:43 AM
Hi,
I am trying to setup a Site to Site VPN between a Palo Alto FW and a 3rd Party Security FW Vendor;
I would like to undestand under which condition the Palo Alto FW would attempt to start an ISAKMP negotiation (for Phase 1) with the IPSec peer counterpart.
I'm familiar with the Cisco ASA setup - where, for ex., the tunnel is brought up only when interesting traffic is actually attempting to flow through the Unit -> how is the behavior in the case of the PA ?
Does the unit attempt to start the IPSEC tunnel automatically as soon as the config is pushed / committed (also without any interesting traffic hitting the unit) ?
Is this is the case, assuming that the tunnel could not be successfully established on the 1st attempt, does the PA attempt periodically to perform the ISAKMP negotiation ?
I haven't labbed this scenario yet (planning on doing) - nevertheless any heads up would be appreciated.
Thanks
11-27-2018 05:51 AM
It's been my experience that as long as the tunnel peers can communicate the "tunnel Info" icon will come up, but if no "interesting traffic" is going down the tunnel then the icon for the "IKE Info" will show down.
Here's an example from one of my FWs
11-27-2018 05:51 AM
It's been my experience that as long as the tunnel peers can communicate the "tunnel Info" icon will come up, but if no "interesting traffic" is going down the tunnel then the icon for the "IKE Info" will show down.
Here's an example from one of my FWs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
