11-13-2023 05:29 AM
We have a site to site VPN tunnel that fails when the vendor side tries to Re-Key. We are seeing no U-Turn policy blocking them. We can ReKey from outside without issue.
1. Has anyone seen this issue previously and been able to fix it?
2. Does anyone have a script that can be run that will logon our firewall and allow me to run 2 commands to reset the tunnel instead of running the commands manually?
Any help would be appreciated.
11-20-2023 01:09 AM
Hi @Ozman4169 ,
You could automate this using API script:
That said, I would recommend doing some further debugging to find the root cause.
You might find more information in the ikemgr logs in debug mode. For this please refer the below documents : > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC : HOW TO TROUBLESHOOT IPSEC VPN CONNECTIVITY ISSUES > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS : HOW TO ENABLE DEBUG ON A SINGLE VPN PEER?
Kind regards,
-Kim.
11-20-2023 01:40 AM
you can ask the remote peer to set their tunnel to passive mode, which should prevent them from rekeying
Usually when something like this pops up, in my experience it's been because the remote side is not set to one single set of crypto options, but has a bunch that complicate the negotiation
either have the remote side use a more specific crypto profile, or set up debugging for the peer gateway and tunnel and see which proposals they send, and adjust your crypto settings to use a more compatible set
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
