Palo Alto Networks Knowledgebase: Physical Interface Down but IPSec Tunnel is not going Down

Physical Interface Down but IPSec Tunnel is not going Down

Created On 02/07/19 23:58 PM - Last Updated 02/07/19 23:58 PM

An IPSec tunnel is configured between two firewalls and it is up and running. To test, the physical interface is brought down or the LAN cable is unplugged. But, this does not bring the IPSec tunnel down, even if DPD is enabled and the time taken to bring the tunnel down is too long.


This is expected behavior. Both the CLI and GUI will show the status of tunnel as up, even when the physical interface is down or unplugged and the tunnel flow status will show as established.


The are only two ways an IPSec tunnel can be bought down:

  1. Tunnel monitoring
  2. IPSec Re-keying


The status of the tunnel is tied to tunnel monitoring and IPSec Re-Keying. Although this should not cause an issue between route based VPNs, this could cause an issue if the peer is policy based VPN.



As a workaround, configure a tunnel monitoring profile. When a tunnel monitoring is configured, an IP will have to be assigned to the tunnel interface and should be included in the proxy ID list.



Once tunnel monitoring is configured, if the monitor IP is unreachable, the tunnel monitor should immediatly bring down the tunnel interface. And, this would in turn end up clearing the IPSec tunnels built over that physical interface.

  • Print
  • Copy Link

Choose Language