we have a site with three levels of hubs. In their infrastructure, Primary & HA are acting as tunnel client and are connecting to two tunnel server hubs which are also acting as tunnel clients toward customer hubs. So tunnel opening is always from inside to outside direction.
Now, when using IM, it depends a bit how we see the env, from the seven hubs there might be some shown as red when logged to one hub, then when logged to other hub all hubs are green. But the biggest issue is that those connections seem to break pretty often, so connections are lost, then after sometime, or restarting those middle level hubs those connections come alive again.
But then it works for some time nice and fine without issues, and then again after some time, those tunnels are broken. When looking hub status in those middle level hubs, they may have lost their connection to primary hubs.
8.31 and 8.4 running on Windows (OS) with HUB 7.80 HF9
In here, the heatbeat mechanisms are not working as expected. Without this improved mechanism, there was a danger that client and server could disagree on the state of a tunnel, resulting in communication that was successful in one direction, but failed in the other.
In addition to this, the settings on Firewall must need to be adjusted. Initially, firewall rules were set to 15 seconds for all UIM ports.
The exploratory build from the development which contains better heatbeat mechanisms.
The firewalls in place at the customer's site are:
Palo Alto 7.06
The firewall rules put in place for UIM ports (48000-48050) are:
a. Idle connection timeout: 7200
b. Max connection timeout: 7200
c. TCP Connection only : No application awareness (important)
Note: when application awareness is turned off the max connection & idle connection should be the same. These can be set higher.