VPN Tunnel down - Troubleshoot

Reply
Wenar
L3 Networker

Ok the first message at 13:47 is that the cisco requests to delete the SA and a new SA is established right after that. Do you have DPD activated on the PA?

I would check again if the proxy IDs are matching and if the cisco has some dead SAs installed.

Hithead
L4 Transporter

here are the DPD config:

PA...

5-28-2014 1-02-46 PM.png

Cisco...

crypto isakmp keepalive 10 5

Proxy IDs are not set on PA. On Cisco also no extra proxy ID config is installed. Do we have to configure proxy IDs? Suggestions how???

rbista
L3 Networker

Why this link is in a restricted?

reaper
L7 Applicator

Hi

 

the link mentioned earlier in this discussion was removed as the article was outdated and no longer accurate

 

please take a look here : https://live.paloaltonetworks.com/t5/Management-Articles/IPSec-and-tunneling-resource-list/ta-p/6772...

 

Hope this helps

regards

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
scott-johanson
L1 Bithead

DPD is not supported on Cisco. This is a Palo Alto feature. You will see that in the ike logs. 

 

Overview

Dead Peer Detection (DPD) refers to functionality documented in RFC 3706, which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitorin...

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!