@GiacomoS Thanks for sharing this.   The Palo Alto has one virtual router where all static routes match the desired subnet, e.g. Tunnel1 with 10.20.30.40/24 routed. On the Meraki site, there is one global setting for the VPN tunnel   Name "doesnt matter" IKE Version  "IKEv2" Policies "see post above" Public IP "Palo's IP" Local ID "address reservation from the provider's router"; same for every site; e.g. 192.168.1.1 Remote ID "empty" Private Subnets 0.0.0.0/0 - as we want a full-tunnel PSK "Key" Availability "All networks"   On the Palo site Each IKE GW identifies with   Peer address "VPN site's public IP" Local ID "Palo's IP" Peer ID "192.168.1.1" PSK "Key" Each IPSec GW has a proxy ID named "whatever" with Local ID 0.0.0.0/0 and Peer Address, e.g. 10.20.30.40/24 (LAN behind Z3), Protocol any   If any of these settings don't match, I would assume the tunnel won't be established, but there are "just" random crashes of the network traffic, not the tunnel itself. ... View more

Did anyone ever solved this issue permanently? We're having the exact same issue between a Palo Alto Cloud Firewall and Meraki Z3s on multiple sites. On the rekey-step the tunnel stays online, but network traffic doesn't pass the tunnel. We have an IKEv2 Tunnel btw.   On the Meraki site/log, you can see the there are two steps happening repeatedly on a working tunnel.   inbound CHILD_SA outbound CHILD_SA   At the time the error occurs, the outbound step is missing.   We have a NAT scenario on all sites where the Z3s are installed. Public static address with common router. Z3 is connected to this router.   Config   On Palo side   IPSec Crypto profile   IPSec Protocol ESP DH group 2 LT 1h Encryption aes-256-gcm/cbc Authentication sha256   IKW Crypto profile DH Group group2 Encryption aes-256-cbc Authentication sha 256 Key LT 8h IKEv2 Authentication Multiple 5   On Meraki side   Phase1 Encryption AES 256 Authentication SHA256 Pseudo-random Function Defaults to Authentication Diffie-Hellman group 2 Lifetime (sec) 28800   Phase2 Encryption AES 256 Authentication SHA256 PFS group 2 Liftime (sec) 3600   Palo Alto IKE GW Options Passive mode Enabled NAT-T Enabled Advanced Option Strict Cookie Validation turned off Liveness Check Interval (sec) 5 ... View more