Palo Alto Networks Knowledgebase: Physical Interface Down but IPSec Tunnel is not going Down

Physical Interface Down but IPSec Tunnel is not going Down

2928
Created On 02/07/19 23:58 PM - Last Updated 02/07/19 23:58 PM
VPNs
Symptom

An IPSec tunnel is configured between two firewalls and it is up and running. To test, the physical interface is brought down or the LAN cable is unplugged. But, this does not bring the IPSec tunnel down, even if DPD is enabled and the time taken to bring the tunnel down is too long.



Resolution

This is expected behavior. Both the CLI and GUI will show the status of tunnel as up, even when the physical interface is down or unplugged and the tunnel flow status will show as established.

 

The are only two ways an IPSec tunnel can be bought down:

  1. Tunnel monitoring
  2. IPSec Re-keying

 

The status of the tunnel is tied to tunnel monitoring and IPSec Re-Keying. Although this should not cause an issue between route based VPNs, this could cause an issue if the peer is policy based VPN.

 

Workaround

As a workaround, configure a tunnel monitoring profile. When a tunnel monitoring is configured, an IP will have to be assigned to the tunnel interface and should be included in the proxy ID list.

monitor.pngproxyID.pnginterface.png

 

Once tunnel monitoring is configured, if the monitor IP is unreachable, the tunnel monitor should immediatly bring down the tunnel interface. And, this would in turn end up clearing the IPSec tunnels built over that physical interface.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language