- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-12-2017 07:28 AM
I've set up my first LSVPN deployment and everything has gone without a hitch. The only issue I ran into, we were doing an upgrade of PAN-OS on the gateway and satellites. Satellites all went fine, but my gateway bombed out (first time its happened to me). We were in an HA pair, but I had duplicate IPs on the network once the passive box rebooted, but I could never communicate or pass traffic with the passive box. Once I got the bad actor off the network and replaced with an on-site spare and the environment back up and stable, the Satellites didn't reconnect. It took upwards of 45 minutes to get them back online. It appears once the tunnel goes down on the satellite there's no way to recover until the next portal or gateway check-in. I was in process to manually reconnect the firewalls, but they came up while I was en route.
So, I've read the tunnel monitor difference between IPSEC and LSVPN and looked over the LSVPN deployment guide, but I guess I'm missing how the satellites will recover if connectivity to the gateway is lost. Currently, I don't have a tunnel monitor set up on the Gateway. Should I change this monitor to the physical IP of the gateway instead of letting the monitor default to the tunnel interface of the gateway? Would this improve recovery time?
Thanks for any help!
06-12-2017 02:54 PM
so there are 2 "is it dead methods"
DPD - on Phase 1
and
Tunnel Monitor - on phase 2
tunnel monitor does give you more troubleshooting allowances
(an IP address is assigned and 'pingable')
thus an actual packet traverses the tunnel
are you using static or dynamic routing?
is passive setting enabled....checked?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!