Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:vpn_monitoring [2020/05/31 00:25] – bstafford
+++ paloaltonetworks:configuration:vpn_monitoring [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ======VPN Monitoring======
+===== PAN-OS to PAN-OS VPN =====
+When configuring PAN-OS to PAN-OS VPN tunnels, use IKEv2. When using IKEv1, I've seen issues with tunnel droping on some configurations.
+From Palo Alto Networks support:
+//PAN IKEv1 does not support overlapping IKE SA. The phase1 SA will be deleted when its lifetime expires. The phase1 SA rekey will only be triggered when Phase2 SA lifetime expires. It is not a bug. While, IKEV2 support overlapping SA, phase1 SA will be rekeyed before its lifetime expires.//
+===== Monitoring =====
 If you have 169.254.11.1/30 defined on your tunnel interface, and if you have 169.254.22.2/30 defined on the peer tunnel interface, then
   - If you have enabled tunnel monitoring on your VPN to monitor 169.254.22.2/30, you will find that 169.254.11.1 **can** ping 169.254.22.2 even though, in theory, it has not route to it. No other interface on the firewall will be able to ping it though. The act of putting a tunnel monitor on the tunnel means that the firewall will send to that IP down the tunnel when they are sourced from the tunnel IP.