INC_RN_SECONDARY_WAN_TUNNEL_DOWN
Focus
Focus
Prisma Access

INC_RN_SECONDARY_WAN_TUNNEL_DOWN

Table of Contents

INC_RN_SECONDARY_WAN_TUNNEL_DOWN

Learn about the INC_RN_SECONDARY_WAN_TUNNEL_DOWN incident.

Synopsis

Remote network site <site-name> secondary WAN tunnel <tunnel-name> is down for at least 10 minutes.
Incident Code—INC_RN_SECONDARY_WAN_TUNNEL_DOWN
Severity—Warning
For details about incident severity, see Incidents Distribution Over Time in Incidents and Alerts Overview.

Required License

Prisma Access

Details

Impact
The remote network user count when the tunnel went down (does not increase or decrease when the incident is in the raised state).
Raise condition
The tunnel is down for at least 10 minutes.
Clear condition
The tunnel is up for at least 8 minutes.

Correlated Alerts

  • AL_RN_SECONDARY_WAN_BGP_DOWN
  • AL_RN_SECONDARY_WAN_BGP_FLAP
  • AL_RN_SECONDARY_WAN_TUNNEL_DOWN
  • AL_RN_SECONDARY_WAN_TUNNEL_FLAP

Remediation

  1. Check for any resource utilization issues on the device where this tunnel terminates.
  2. If there are any in-path devices prior to the terminating device, check for any resource utilization issues there, as well.
  3. Perform a ping and traceroute to check for any latency inconsistencies or packet loss between the site and Prisma Access location.
  4. Contact your ISP in case of packet loss. If there is no packet loss or results are inconclusive:
    1. Isolate some test traffic and perform packet captures.
    2. Check for any TCPs that are out of order, lost segments, or retransmission, which might indicate packet loss through the tunnel.
    3. If you observe these issues, take packet captures of the ESP traffic, so you can see the public IP addresses between the Prisma Access location service IP address and the remote VPN peer IP address.
    4. Review for gaps in the ESP sequence numbers, which indicates in-path packet loss, or out-of-order ESP sequence numbers, which indicate reordering by a network device in the path.
    5. If there are other network devices in the path prior to the terminating device, perform steps a through d to help isolate the problematic network device.
  5. Contact your ISP to check for any issues at the remote site.
  6. If these steps don't help you resolve your issue, contact the Palo Alto Networks Customer Support Portal.