We have created an tunnel with SAP and as per their suggestion we have disabled tunnel monitoring, keepalive settings from our end. It is IKEV2 tunnel.
We noticed that after sometime due to traffic not flowing suddenly Phase-2 is going down, as soon as it goes down we were seeing the issue in connectivity.
As soon as manually trigger the tunnel and if the tunnel comes up, connectivity works again. Any suggestion here.
How come can you see issues with connectivity if there is no traffic on the tunnel?
"traffic not flowing suddenly Phase-2 is going down, as soon as it goes down we were seeing the issue in connectivity"
If you see issues with connectivity it means you do have traffic on the tunnel.
This points to either different Phase1/2 timeout values or their side pulling down tunnel due DPD/Liveness check.
Hi @Raido_Rattameister ,
Yes we can see via GUI that IPSEC tunnel info is showing red but the IKE Info is showing always green. In this situation if any traffic has been initiated by backend server communication is allowed with no return traffic.
There is no keepalive and tunnel monitor is enabled at both the ends. The interested traffic is the telnet traffic which will be randomly initiated by user.
If peer site does not reply to pings then it would be best to shut down tunnel monitor.
Otherwise Palo thinks that tunnel is down as no tunnel monitor replies.
If there is interesting traffic then phase 2 is negotiated and tunnel stays up (or comes up if down).
If you really need tunnel to stay up even if no interesting traffic and remote side is configured not to reply to pings then configure extra fake static route let's say /32 to one of IPs at remote side with ping interval 60 (it is biggest you can set).
Actually there is no tunnel-monitor or Keepalive configured at both the end. We have kept the continues ping as well from the backend server to the other end IP address to keep the tunnel active. But exactly after 1 hour ( lifespan set for IPSEC phase 2 ) tunnel went down and we started getting timeout for tunnel.
After I using the below two commands , tunnel came up again and ping started working fine.
test vpn ike-sa gateway <gateway_name>
show vpn ike-sa gateway <gateway_name>
test vpn ipsec-sa tunnel <tunnel_name>
show vpn ipsec-sa tunnel <tunnel_name>
Hi @Raido_Rattameister , Peer end engineer team confirmed that phase-2 lifespan is set for 1 hour only.
Also they have observed one more thing whenever the tunnel goes down, we are using test commands ( both for gateway and ipsec tunnel) to manually bring up the tunnel. We are seeing our phase-1 IKE-SA is being refreshed with newer-spi, but at the peer end which is cisco router 1000 there were multiple SA being generated( older SA is not terminating until they clear it manually)
Hi @Raido_Rattameister ,
Also we noticed that even though we are pushing the DHgroup value as 16 from Panorama , Palo-alto firewall taking the configuration at its end as DH14. and as per the communication with Cisco router end we asked them to keep the tunnel parameters as 16. Do you feel will it case any issue.
You can enable debug on this VPN tunnel and ikemgr.log shows what timeouts other peer negotiates with.
Set Palo side to be passive so other side initiates connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!