IPSec tunnel, delayed status update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec tunnel, delayed status update

L1 Bithead

I had one of our remote sites go offline two days ago due to an ISP outage. However, the site to site link showed as up for several hours before it finally dropped and showed as offline. IS there a setting to have this respond faster so it shows offline within minutes? Or is this working as designed?

1 accepted solution

Accepted Solutions

Hello,

Could you please try with tunnel monitoring to bring the tunnel down, while there will be an outage from ISP.

tunnel-monitoring.JPG.jpg

Also refer below mentioned knowledge base article for more information:

How to Verify if the IPSec Tunnel Monitoring is Working?

Dead Peer Detection and Tunnel Monitoring

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

Thanks

View solution in original post

7 REPLIES 7

L5 Sessionator

Hello,

Were the colours of the VPN, green and red, even with multiple page refreshes? The screenshot below shows the status of the IKE and the IPSEC. The first one on the left, shows the status of IPSEC-ESP and the one on the right, shows the status of the IKE.

IKe-statis.JPG.jpg

Again that depends on how long the outage was. All though the Lifetime of IPSEC-ESP and IKE can be ( like by default ) 1 hour and 8 hours respectively, the session timeout values for IPSEC-ESP and IKE are 3600 secs and 30 secs respectively. Lifetime determines the amount of time that the parties have to wait before they rekey again. Once a VPN is up, the firewall maintains sessions for IKE and IPSEC-ESP. If the firewall doesn't receive packets within the session timeout values, it discards the session. That being the case, had there been an outage, the session for IPSEC-ESP would still remain active for a longer duration than the IKE session ( When there is an ISP outage, no ESP or IKE packets would reach either firewall).

Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI.

Hope that helps!

BR,

Karthik RP

All 3 status lights were green even after multiple refreshes. This was 3 hours after the outage occurred.

"Whenever a tunnel goes down, the firewall logs these events with a high severity, and we have the ability to send these events to a syslog server. You can get faster alerts of VPNs going down, by using SNMP servers, or through syslog servers, instead of relying on the WEB GUI."

I do not accept that as a proper method of knowing what is going on. If they have status indicators on the web gui, then they should do what is expected of them and properly indicate the status. If it requires some config changes to make it work better, that is fine, but the PA appliance should be able to provide us with adequate monitoring information.

Carpediem,

Do you mean that the outage was for 3 hours, and yet the status lights were green during these 3 hours? We dont have any other extra configuration for the WEB GUI to reflect the correct status. In all my prior experience, I have seen the appropriate status show up whenever the tunnel went down ( even with both automatic and manual page refreshes, and on the cli ). The next time you encounter this issue, please raise a ticket with the TAC.

That is correct.

Will do. Just wanted to see if anyone else had run into a similar issue.    

Hello,

Could you please try with tunnel monitoring to bring the tunnel down, while there will be an outage from ISP.

tunnel-monitoring.JPG.jpg

Also refer below mentioned knowledge base article for more information:

How to Verify if the IPSec Tunnel Monitoring is Working?

Dead Peer Detection and Tunnel Monitoring

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

Thanks

Did the system logs show that the VPN was down? If so, I think its then a GUI issue. What is the PANOS version that the box is running on?

Tunnel monitoring sounds like it may do the trick. I am guessing that uses ping to verify the connection is up and then shows status as down once it fails to receive a response for the allotted time?

If so, that is something I will test during one of our upcoming maintenance windows.

  • 1 accepted solution
  • 6129 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!