IKEv2 has been introduced in PAN-OS 7.0. With this version of IKE, it is able to do a liveness check through phase 1 SA if there is any problem with underlying network connectivity (for example, physical interface is connected). This option is not enabled by default.
The default interval of liveness checking is every 5 seconds when SA is idle. Upon losing connection, the firewall will do 10 liveness retries with increasing timeout (seconds) for each retry as follows: 1 + 2 + 4 + 8 + 16 + 32 + 64 + 64 + 64 + 64 = 319 seconds (about 5 minutes)
After maxium retries are reached, the firewall will tear down phase 1 and phase 2 (child) SAs. Currently, the number of retries and wait time between each retry are not configurable in PAN-OS 7.0.
Please note that the associated interface tunnel status, however, will remain up and as any static routing egress to this interface tunnel will also stay active. Therefore, in order to failover traffic to a backup path requires additional an function such as phase 2 tunnel-monitoring, policy-based forwarding, or a dynamic routing protocol such as BGP or OSPF.
Output from show command:
> show vpn ike-sa detail gateway [IKE GW name]
IKE Gateway GW, ID 35 2.2.2.2 => 1.1.1.1 Current time: Mar.01 13:49:56
IKE SA: SPI: 8669654AB024E4AE:CABD66D702C02131 Init State: Established SN: 4 Authentication: PSK, peer PSK Proposal: AES256-CBC/SHA256/DH5 ID local: ipaddr:2.2.2.2 remote: ipaddr:1.1.1.1 ID_i: IPv4_address:2.2.2.2 ID_r: IPv4_address:1.1.1.1 NAT: Not detected Message ID: rx 35, tx 37 Liveness check: sending informational packet after idle 5 seconds
Output from ikemgr.log when IKEv2 liveness detects a connectivity problem:
2016-03-01 14:32:24 [INFO]: ike_sa.c:275:ikev2_abort(): 6:1.1.1.1[500] - 2.2.2.2[500]:(nil):aborting IKEv2 SA GW:6 2016-03-01 14:32:24.890 +0800 debug: pan_ikev2_debug(protocols/ikev2/ikev2.c:6946): ... IKEv2 SA state {GW:6-I}: SA dying from state ESTABLISHED, caller ikev2_abort
2016-03-01 14:32:24 [DEBUG]: ikev2.c:1174:ikev2_set_state(): 6:1.1.1.1[500] - 2.2.2.2[500]:(nil):ike_sa 0x827b210 state ESTABLISHED -> DYING: func ikev2_set_state, caller ikev2_set_sa_dying 2016-03-01 14:32:24.890 +0800 debug: ikev2_set_state(protocols/ikev2/ikev2.c:1239): keeping retransmit while state changed to DYING, CID 150, child 0x827b210