IPSec VPN Negotiation Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec VPN Negotiation Issues

L0 Member

Dear Members,

Greeting to All!

 

Curranty, I'm using site to site multiple VPN configuration with Palo alto Firewall to different vendor site. All of the tunnel is working fine VPN ok.

My main problem is inside of my firewall public internet down then coming to UP in case, Some of the tunnel is came to up and show green. But one of the tunnel status is still down even internet interface after UP. So, in case when I go to the CLI mode then type the following command the tunnel is came to UP.

 

test vpn ike-sa gateway IKE_Prod_V2   

Start time: May.31 10:16:15
Initiate 1 IKE SA.

 

I want to clarify how can we solve for my current issues that we no need  to run without test vpn ike-sa gateway IKE_Prod_V2 command.

Please kindly helps me.

 

Pyie Phyo Htay.

1 REPLY 1

Hi @Partner_Infra ,

Am I understanding your question correctly:

- You have multiple VPN tunnels

- In some case your public Internet connection is going down and up again after some time

- After the Internet line is restored most of the VPN tunnel are restored, but only one is not re-established and still show "red" status in GUI

- When you execute the "test vpn" command tunnel is re-established successfully.

 

The majority of network devices will initiate VPN negotiation ONLY when they receive traffic that needs to be forwarded over the tunnel.

From your explanation it seems that there is no traffic initiated/sourced from your internal network that will trigger VPN negotion. "test vpn" command is forcing the firewall to start VPN negotiation even if there is not actual traffic that will pass over the tunnel.

 

If you just expect this tunnel to re-establish immediately, like the rest of the tunnel - it could be just that this tunnel is not used very often and and you need to wait longer for real traffic that it will initiate tunnel negotiation.

 

 

  • 923 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!