This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Is there any reason that tunnel interface will go down

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there any reason that tunnel interface will go down

fozail
L3 Networker

‎12-04-2016 01:54 AM

Hi There,

 

I configured two IPSEC VPN on PA, as PA has two ISP connectivity. Configured a PBF to forward the traffic through primary tunnel interface and enabled monitoring to monitor trust interface of remote PA. A route was configured to forward the traffic the traffic through secondary tunnel interface.

 

I found that traffic was always forwarded through secondary tunnel interface. Reviewed and could see that PBF is in DISABLED state as I had enabled if monitor is not successfull disable this PBF.

 

Reviewed and could see that PBF moniotr got failed because tunnel interface was down.

 

As I am not doing any tunnel monitoring, tunnel monitor should not go down at all if appliance is up and running.

 

Can you please let me know how to find out why tunnel interface went down?

 

Best Regards,

 

Fozail

0 Likes Likes
7 REPLIES 7

santonic
L6 Presenter

‎12-05-2016 01:01 AM

Maybe there was no traffic to keep that tunnel alive. 

0 Likes Likes

TranceforLife
L6 Presenter

‎12-05-2016 02:13 AM

Hi,

 

Could you check ikemgr.logs:

 

> tail lines 100 mp-log ikemgr.log

 

 

0 Likes Likes

fozail
L3 Networker
In response to TranceforLife

‎12-05-2016 07:24 AM

Hi,

 

I reviewed ikemgr.log but could not find anything realted to this, I enabled debug for ikemgr.log as well but no luck.

0 Likes Likes

fozail
L3 Networker
In response to santonic

‎12-05-2016 07:25 AM

Hi,

 

I mean to say that tunnel interface went down not IPSEC VPN.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to fozail

‎12-05-2016 08:10 AM

Do you have a static or dymaic IP on both ends of the tunnel? If you go into the Montior and then the System tab using the ( subtype eq vpn ) query string will show you all VPN events, it may show you that the IKE or IPSEC didn't negotiate correctly or possibly were deleted before negotiating a new set of keys. 

0 Likes Likes

fozail
L3 Networker
In response to BPry

‎12-05-2016 08:24 AM

Hi,

 

I checked the system log with subtype as vpn, but could not find anything related to tunnel interface.

 

Attempted to review the output of the command "show log system | match tunnel.5" but no luck.

 

IPSEC VPN gets negotiated successfully, both phase-I and phase-II reflects green, only tunnel interface is down and hence the routes associated with that tunnel interface gets removed from routing table.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to fozail

‎12-05-2016 10:19 AM

If you run show vpn ipsec-sa tunnel *name*, do you show anything under the ipsec? It sounds like you likely have a part of the configuaration malformed. 

 

 

If tunnels are up but traffic is not passing through the tunnel:

  • Check security policy and routing.
  • Check for any devices upstream that perform port-and-address-translations. Because ESP is a layer 3 protocol, ESP packets do not have port numbers. When such devices receive ESP packets, there is a high possibility they may silently drop them, because they do not see the port numbers to translate.
  • Apply debug packet filters, captures or logs, if necessary, to isolate the issue where the traffic is getting dropped.
0 Likes Likes
  • 4440 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks