Problems with IPSec tunnel


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L3 Networker

Problems with IPSec tunnel

I have a PA VM100 which hangs behind a dynamic public IP and it creates an IPSec tunnel to a PA220 with static public IP.  So the tunnel can only be established by the VM100. On the PA220 I have activated "Enable Passive Mode" at IKE Gateway -> advanced Options. DPD Interval 5 and Retry 5.
I also set up a tunnel monitor and gave the tunnel interfaces IPs. As tunnel monitor profile I chose default (wait recover - interval 3sek - threshold 5).

Unfortunately the internet connection is not the best and there are always disconnections (more then 10 on a day). Sometimes the tunnel will rebuild itself, sometimes you have to take action yourself. Then you can see that on the pa220 under session there is still the session ipsec 4500. You can also see that the tunnel ipsec is still green but ike already red.


What can I do to ensure that the tunnel rebuilds as quickly as possible in the event of a failure?


Tags (1)
L7 Applicator

set the tunnel monitor from wait-recover to fail over so the tunnel gets torn down once the monitor fails

Tom Piens -
New to PAN-OS or getting ready to take the PCNSE? check out
Cyber Elite


You might want to try a DDNS, dynamic domain name ssytem, solution? This way the VM PAN will register istes automatically and then the PA-220 can just have a DNS name as its peer.


Just a thought.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!