09-09-2025 07:19 AM
As of this post, Palo Alto Firewalls do not sync Phase 1 for IPSec Tunnels. If a remote end is using Dead Peer Detection, this will cause the tunnel to go down after a failover occurs and the remote end DPD hits its threshold. Since the Palo no longer has Phase 1, it cannot respond to the DPD. Despite Phase 2 being up and working, the DPD will pull down the tunnel. The Palo thinks the tunnel remains. Traffic will stop.
Recommended work arounds are to disable the DPD on the remote side or enable tunnel monitoring.
Certain cloud providers are not providing an option to disable DPD. Therefore, a tunnel monitor is the other option provided by Palo. While tunnel monitor technically works, I have asked Palo to look at syncing Phase 1.
A feature request requesting the syncing of Phase 1 exists.
Palo Support provided me with the following:
Feature Request NSFR-I-26043
Please have your account team vote on it on your behalf if this is a feature you want.
