I have a VPN tunnel between a Palo Alto and a Juniper SSG. Even when there is no traffic from the end devices coming through, the VPN tunnel somehow stays up. I would expect the IKE and IPSEC SA's to time out and stay down until traffic is passed. However, the IPsec tunnel stays up. It seems that the Palo Alto is initiating the connection even though I know no traffic is coming through it for the VPN to become active. I see in the logs that the Palo is the initiator and it brings up the tunnel consistently after about an hour which is when the IPsec SA expires (lifetime is 1 hour).
Any ideas why this happens? On other tunnels I have this does not happen the tunnel stays down when inactive. I have noticed that those other tunnels are terminating to Cisco ASAs and not a SSG as is the case with the one I was referring to above.
I am really curious why this happens. I even disabled dead peer detection to test and it made no difference. I do not see a setting in the Palo that would enable/disable this.
Tunnel monitor on the PA is what would cause this, I would think. Do you have 'tunnel monitor' turned on by chance?
The whole premise of this question is kind of... odd. I've never really worried about my IPsec tunnels not going *down* consistently... in fact to be honest I'd rather the SAs be established and the tunnel be built so that clients on either side don't wait for the tunnel to come up when they try to throw traffic across the tunnel...
Unless you're paying for bandwidth across the link or this is a backup link that should stay down normally so its routes don't propogate, why worry that the tunnel stays up?
No, I did not have tunnel monitor enabled on this. I know it was an odd question, but I was just curious as to what the cause was since no traffic was flowing. I think it had to do with the other end using keepalives or DPD on the Palo Alto.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!