12-30-2016 08:10 AM
Hi there!
We have had a site-to-site VPN setup between our home office and branch office for about six months. We have a pair of PA-500 at the branch, and a pair of PA-3020 at the home office. The home office has two ISPs setup in a dual-vr failover configuration, and the branch has just a single ISP. I tried to setup a second IPSec site-to-site VPN from the backup ISP at the home office so if the primary ISP at the home office fails we could keep the link up, but Phase I doesn't even try to come up on either side(no system error messages or anything). I pretty much followed these instructions, modifying for only having one ISP at the branch office.
My only current working theory of what is causing the second site-to-site not come up is I'm trying to terminate two tunnels on the same IP at the branch office, but that doesn't hold much water. Any quick hints, or should I go to TAC with this one?
Thanks!
12-30-2016 08:39 AM
Hi,
Did you try commands:
> test vpn ike-sa gateway <name>
> test vpn ipsec-sa tunnel <tunnel.name>
To see if that will trigger VPN to come up.
12-30-2016 08:39 AM
Hi,
Did you try commands:
> test vpn ike-sa gateway <name>
> test vpn ipsec-sa tunnel <tunnel.name>
To see if that will trigger VPN to come up.
12-30-2016 11:58 AM
I hadn't, I just did, and up they popped!
I'm curious why those commands were needed to force it up?
12-30-2016 12:08 PM
Are you sure it was actively trying to come up? If this is a redundancy thing and none of your traffic was actively trying to go that route then the PA wouldn't bring the tunnel up because no traffic was destined for that route. The tunnel needs traffic to activate, if you want it to come up without traffic the 'test' command is the best way to force it.
12-30-2016 12:10 PM - edited 12-30-2016 12:39 PM
+1 to @BPry. Test vpn command actually forcing/simulating traffic through the tunnel. Not sure about P1 but l guess it is the same as for P2 (interesting traffic). What l meant is that P1 would not come up by itself, need some traffic to trigger it.
12-30-2016 12:35 PM
Thanks. That makes sense to me that it wouldn't try to come up if there wasn't traffic to cause it to come up (which there wasn't).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
