12-10-2020 04:44 PM
I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:
PAN IPSec IKEv1 <<---->> Cisco R2 IKEv1
PAN IPSec IKEv2 <<---->> Cisco R1 IKEv2
I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router. On the Dead Peer interval and retry, i set it to 5 and 5, respectively. On the Cisco router R2, I set "set crypto isakmp keepalive 10". On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5. I also set "crypto isakmp keepalive 10" on the R2 cisco router.
Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected. However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable.
Is that expected? If not, is this another bug in PAN? I am running 8.1.15 hotfix 3.
12-10-2020 07:21 PM
DPD on the PAN side isn't persistent and is only triggered by a phase 2 rekey; as long as phase 2 is up, the PAN won't check to see if IKE-SA is active. If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring.
12-11-2020 04:43 AM
@BPry: "If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring. "
PAN VPN Peer is 1.1.1.1 and Cisco VPN Peer is 2.2.2.2
PAN Encryption Domain is 192.168.1.1 and Cisco VPN Encryption Domain is 192.168.2.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
