Automatic Tunnel Restoration in Prisma Access Agents
Focus
Focus
Prisma Access Agent

Automatic Tunnel Restoration in Prisma Access Agents

Table of Contents
After an interruption occurs, such as a networking connectivity issue, the Prisma Access Agent will attempt to restore the tunnel and maintain connectivity without user intervention.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Automatic tunnel restoration enhances the end-user experience by maintaining consistent and efficient connectivity for Prisma Access Agents. This feature automatically restores secure connections after interruptions, reducing user frustration and minimizing work disruptions.
Automatic tunnel restoration is a standard feature of Prisma Access Agents so no configuration is required for it to work. To understand automatic tunnel restoration, you should be familiar with the following key concepts:
Connectivity Modes
Depending on how you configured the Prisma Access Agent, your users will connect to a gateway using one of the following modes:
  • Always On—In this mode, the Prisma Access Agent continuously attempts to maintain a connection to a location. Users can't disconnect, and the sign-out option is disabled in the Prisma Access Agent app.
  • On-Demand—This mode allows users to choose when to connect or disconnect. When users choose the Best Location, the agent behaves like it's in Always On mode until manually disconnected.
Location Selection
Your users can connection to a location using (gateway) the following methods:
  • Best location selection—This method selects the optimal location based on various factors. It's used when no specific location is chosen or when reconnection to a chosen location fails in Always On mode.
  • Manual location selection—Users can choose a specific location to connect to. The behavior differs based on the connectivity mode.
Monitoring and System Changes
Prisma Access Agent monitors various network and system changes, including:
  • Network status changes such as internet connectivity coming up or going down
  • System sleep mode and resume events
  • Service disable or enable events
  • Service restarts due to reboots, upgrades, or crashes
Restoration Window
The Prisma Access Agent will attempt to restore the connection for up to 30 minutes after an interruption occurs. This time frame will help to significantly reduce manual reconnections due to changes in network conditions.
  • When a connection interruption occurs, the Prisma Access Agent initiates the secure tunnel restoration process.
  • The agent attempts to restore the connection for up to 30 minutes.
  • If successful within this time frame, the connection is reestablished without user intervention.
  • If unsuccessful after 30 minutes, the user might need to manually reinitiate the connection.
Tunnel restoration behavior differs depending on the connectivity mode for the agent.
Tunnel Restoration in Always On Mode
In Always On mode, the Prisma Access Agent actively attempts to maintain a constant connection:
  • If the user manually chooses a location and it becomes unavailable, Prisma Access Agent will try to reconnect to the chosen location.
  • If reconnection to the chosen location fails, Prisma Access Agent automatically switches to the best location.
  • The agent continuously attempts to restore the connection, trying up to five times using the best location.
  • The system will notify users about connection status changes in the Prisma Access Agent app.
Tunnel Restoration in On-Demand Mode
In On-Demand mode, the restoration behavior depends on how the connection was initiated:
  • If the user chose Best Location, the agent behaves similarly to Always On mode until manually disconnected.
  • If the user chose a specific location:
    • Prisma Access Agent attempts to reconnect only to that location.
    • If reconnection fails, it does not connect to any other location.
    • Users are notified of failed connection attempts.
  • After a manual disconnect, the Prisma Access Agent remains in a disconnected state until the user initiates a new connection.
In both modes, Prisma Access Agent monitors network and system changes to trigger restoration attempts when necessary, ensuring optimal connectivity within the 30-minute restoration window.

User Experience with Tunnel Restoration

The Prisma Access Agent provides a seamless experience for users when restoring tunnel connections. This experience varies depending on the connection mode and specific circumstances.
Always-on mode—In always-on mode, users don't need to take any action to restore the tunnel. The agent automatically attempts to reconnect when a disconnection occurs. If the user had manually selected a gateway, the agent first tries to reconnect to that gateway. If unsuccessful, it switches to the best gateway.
On-demand mode—In on-demand mode, the user experience depends on how the connection was initiated:
  • Best gateway selection—The agent behaves similarly to always-on mode, automatically attempting to reconnect until the user manually disconnects.
  • Specific gateway selection—If the chosen gateway becomes unavailable, the agent attempts to reconnect only to that gateway. Users receive a notification if the connection fails, without the agent trying alternative gateways.
  • Manual disconnect: After a user-initiated disconnect, the agent remains disconnected until the user chooses to connect again.
Across both modes, users don't need to reauthenticate during reconnection attempts within the 30-minute restoration window. This applies to various scenarios such as sleep mode, hibernation, machine lock, or OS logout.
If network issues occur, users might notice brief interruptions as the agent attempts to reconnect within 2 seconds. In cases where reconnection isn't possible within the 30-minute window, users might need to manually initiate a new connection.