I've set up my first LSVPN deployment and everything has gone without a hitch. The only issue I ran into, we were doing an upgrade of PAN-OS on the gateway and satellites. Satellites all went fine, but my gateway bombed out (first time its happened to me). We were in an HA pair, but I had duplicate IPs on the network once the passive box rebooted, but I could never communicate or pass traffic with the passive box. Once I got the bad actor off the network and replaced with an on-site spare and the environment back up and stable, the Satellites didn't reconnect. It took upwards of 45 minutes to get them back online. It appears once the tunnel goes down on the satellite there's no way to recover until the next portal or gateway check-in. I was in process to manually reconnect the firewalls, but they came up while I was en route. So, I've read the tunnel monitor difference between IPSEC and LSVPN and looked over the LSVPN deployment guide, but I guess I'm missing how the satellites will recover if connectivity to the gateway is lost. Currently, I don't have a tunnel monitor set up on the Gateway. Should I change this monitor to the physical IP of the gateway instead of letting the monitor default to the tunnel interface of the gateway? Would this improve recovery time? Thanks for any help!
... View more