In some policy based site to site VPNs, for the VPN to begin initialising, ‘interesting’ traffic needs to reach the router.
Interesting traffic can be defined in the ‘Proxy IDs’ section of the IPSec tunnel in Palo Alto.
When interesting traffic reaches the Palo Alto, if the VPN has not yet established, it will try establish the VPN.
There may be times where you can’t generate this interesting traffic, but you can manually trigger the tunnel to try establish a connection through the Palo Alto CLI.
With these two commands, you can test both IKE and IPSec establishment:
test vpn ike-sa gateway <gateway_name> test vpn ipsec-sa tunnel <tunnel_name>