IPSEC VPN tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC VPN tunnel

L0 Member

We have a site to site VPN tunnel that fails when the vendor side tries to Re-Key. We are seeing no U-Turn policy blocking them. We can ReKey from outside without issue. 


1. Has anyone seen this issue previously and been able to fix it?

2. Does anyone have a script that can be run that will logon our firewall and allow me to run 2 commands to reset the tunnel instead of running the commands manually?


Any help would be appreciated. 


Community Team Member

Hi @Ozman4169 ,


You could automate this using API script:



That said, I would recommend doing some further debugging to find the root cause. 

You might find more information in the ikemgr logs in debug mode.  For this please refer the below documents : > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC : HOW TO TROUBLESHOOT IPSEC VPN CONNECTIVITY ISSUES > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS : HOW TO ENABLE DEBUG ON A SINGLE VPN PEER?


Kind regards,


LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

you can ask the remote peer to set their tunnel to passive mode, which should prevent them from rekeying

Usually when something like this pops up, in my experience it's been because the remote side is not set to one single set of crypto options, but has a bunch that complicate the negotiation


either have the remote side use a more specific crypto profile, or set up debugging for the peer gateway and tunnel and see which proposals they send, and adjust your crypto settings to use a more compatible set

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!