Solved: Re: Site to site VPN between Cisco router and Palo alto - Page 2

MriduD · ‎05-31-2024

we have a policy-based site-to-site VPN between cisco router and palo alto. But the tunnel goes down and doesn't come up after the IPsec lifetime is expired. And tunnel only comes up after sending traffic from cisco to palo alto and not the other way. When The devices under the Cisco LAN subnet(192.168.2.0/24) try to communicate with the server (under the PA LAN subnet, 10.1.1.0/24), the tunnel doesn't come up. DPD and lifetime are already configured on both the Cisco router and PA.

MHM Cisco World · ‎06-02-2024

No need to config Router as redponder

Also you need one more command

Ip sla schedule <ip sla number> life forever start now

MriduD · ‎06-02-2024

@MHM Cisco World Is this how we have configured the values as default? Or should I not configure anything and it will take the default values?

MHM Cisco World · ‎06-02-2024

As I mention, if you dont config anything the ip sla will use default value.

No need to change it

MHM

MriduD · ‎06-03-2024

Tunnels have been stable so far after configuring ip sla on the Cisco side

paul driver · ‎06-02-2024

Hello
As far as i am aware the PA's do not support IPSLA however they do allow tunnel monitoring which you can enable on the creation of the tunnel as/when you add your ike/ipsec crypto profiles.
Optionally you can use its default network monitor profile or create a new one. -->here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MriduD · ‎06-02-2024

Thank you for your input, Sir.

I am going to configure IP sla on the cisco router since the clients are behind the cisco router. I shall let you know if it doesn't work.

paul driver · ‎06-02-2024

Hello
re-reading this OP
This is not down to any ipsla monitoring or the lack of it- it down to how to dynamically bring up the tunnel as/when if it ever failed or if interesting traffic is initiated or not

Can elaborate on the PA side of things regards the vpn creation -ike/ipsec profiles and if the tunnel is statically addressed or not

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MriduD · ‎06-02-2024

Do you want to look at the configuration on the PA side?

paul driver · ‎06-03-2024

Hello
can you share (in a file)
sh vpn tunnel
sh vpn gateway
sh vpn flow
sh vpn flow name xx
sh vpn ike-sa detail gateway xx
sh vpn ipsec-sa tunnel x
sh vpn ipsec-sa sum

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MriduD · ‎06-03-2024

Hello sir,

Actually, i configured ip sla on the Cisco side... Tunnels look stable now . I would still keep an eye on the connectivity. If they do down again, I shall let u know. Ok?