LSVPN Tunnel Recovery

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LSVPN Tunnel Recovery

L3 Networker

I've set up my first LSVPN deployment and everything has gone without a hitch.  The only issue I ran into, we were doing an upgrade of PAN-OS on the gateway and satellites.  Satellites all went fine, but my gateway bombed out (first time its happened to me).  We were in an HA pair, but I had duplicate IPs on the network once the passive box rebooted, but I could never communicate or pass traffic with the passive box. Once I got the bad actor off the network and replaced with an on-site spare and the environment back up and stable, the Satellites didn't reconnect.  It took upwards of 45 minutes to get them back online.  It appears once the tunnel goes down on the satellite there's no way to recover until the next portal or gateway check-in.  I was in process to manually reconnect the firewalls, but they came up while I was en route.

So, I've read the tunnel monitor difference between IPSEC and LSVPN and looked over the LSVPN deployment guide, but I guess I'm missing how the satellites will recover if connectivity to the gateway is lost.  Currently, I don't have a tunnel monitor set up on the Gateway.  Should I change this monitor to the physical IP of the gateway instead of letting the monitor default to the tunnel interface of the gateway?  Would this improve recovery time?

Thanks for any help! 

1 REPLY 1

L4 Transporter

so there are 2 "is it dead methods"

DPD - on Phase 1

and 

Tunnel Monitor - on phase 2

tunnel monitor does give you more troubleshooting allowances

(an IP address is assigned and 'pingable')

thus an actual packet traverses the tunnel

 

are you using static or dynamic routing?

 

is passive setting enabled....checked?

  • 2453 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!