Synopsis

Required License

Details

Correlated Alerts

AL_SC_PRIMARY_WAN_BGP_DOWN
AL_SC_PRIMARY_WAN_BGP_FLAP

Remediation

Confirm whether the IPSec tunnel is active or not. If the tunnel is up but BGP is still down, proceed to next step 2. If the IPSec tunnel is down, proceed to step 4.
Perform a
ping
from your machine to the SC's BGP peer to confirm whether it fails. If the
ping
fails, go to step 3. If the
ping
succeeds, proceed to step 4.
Perform
traceroute
to the BGP peer to see whether
traceroute
is failing within your network. If it is, work with your network team to resolve the connectivity issue. If
traceroute
is failing outside of your network, contact your ISP. If it is still not resolved, open a case with Palo Alto Networks Customer Support Portal and provide all of the above information.
Review for any resource utilization issues on the device where this tunnel terminates. If there are any in-path devices prior to the terminating device, review there as well.
Perform
ping
and
traceroute
to review for any latency inconsistencies or packet loss between the site and the
Prisma Access
location. Contact your ISP if there is packet loss. If there is no packet loss or results are inconclusive:
Isolate some test traffic and perform packet captures.
Check for any TCPs that are out of order, lost segments, or retransmission, which might indicate packet loss through the tunnel.
If you observe these issues, take packet captures of the ESP traffic, so you can check the public IP addresses between the
Prisma Access
location service IP address and the remote VPN peer IP address.
Review for gaps in the ESP sequence numbers, which indicates in-path packet loss, or out-of-order ESP sequence numbers, which indicate reordering by a network device in the path.
If there are other network devices in the path prior to the terminating device, perform steps
a
through
d
to help isolate the problematic network device.
If you still can't resolve this issue, contact Palo Alto Networks Customer Support Portal.