10-12-2020 06:10 AM
Hello,
I have a PA VM100 which hangs behind a dynamic public IP and it creates an IPSec tunnel to a PA220 with static public IP. So the tunnel can only be established by the VM100. On the PA220 I have activated "Enable Passive Mode" at IKE Gateway -> advanced Options. DPD Interval 5 and Retry 5.
I also set up a tunnel monitor and gave the tunnel interfaces IPs. As tunnel monitor profile I chose default (wait recover - interval 3sek - threshold 5).
Unfortunately the internet connection is not the best and there are always disconnections (more then 10 on a day). Sometimes the tunnel will rebuild itself, sometimes you have to take action yourself. Then you can see that on the pa220 under session there is still the session ipsec 4500. You can also see that the tunnel ipsec is still green but ike already red.
What can I do to ensure that the tunnel rebuilds as quickly as possible in the event of a failure?
10-13-2020 07:40 AM
set the tunnel monitor from wait-recover to fail over so the tunnel gets torn down once the monitor fails
10-13-2020 09:45 AM
Hello,
You might want to try a DDNS, dynamic domain name ssytem, solution? This way the VM PAN will register istes automatically and then the PA-220 can just have a DNS name as its peer.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/dynamic-dns-nfg
Just a thought.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
