In a Prisma SD-WAN deployment, the formation of VPN tunnels between a branch ION device and a Data Center (DC) ION is governed by specific configuration parameters that define how an interface interacts with the WAN fabric. When a secondary public circuit is introduced, the system requires precise classification to initiate the negotiation of security associations.
The first critical factor is the Interface Role. For an ION device to attempt to build a global fabric tunnel over a public circuit, the interface must be explicitly assigned the "Internet" role. If the role is incorrectly set (e.g., as "LAN" or left unconfigured), the device will not treat that physical port as a viable path for the SD-WAN overlay, preventing the tunnel from initiating.
Secondly, the Circuit Label plays a vital role in the path selection and tunnel orchestration logic. Prisma SD-WAN uses labels to match local branch circuits with corresponding circuits at the data center or other branches. If a circuit label is missing or mismatched on the interface configuration, the Controller cannot properly orchestrate the "bind" between the branch and the hub. Without a valid label, the ION device doesn't know which path group the circuit belongs to, and consequently, the automated tunnel signaling process fails to complete.
While DNS is important for management connectivity to the Controller, it is generally not the primary blocker for site-to-site tunnel formation if the Controller reachability is already established via the primary circuit. Similarly, "Interface Scope" is more relevant to routing advertisement rather than the foundational establishment of the SD-WAN tunnel itself. Therefore, ensuring the Internet role and Circuit Label are correctly applied is the standard troubleshooting step for non-forming tunnels on new circuits.
