How to Verify if IPSec Tunnel Monitoring is Working
Symptom
Overview
IPSec Tunnel Monitoring is a mechanism that sends constant pings to the monitored IP address sourced from the IP of the tunnel interface. The interval for the pings is specified in its Monitor Profile (Network > Network Profiles > Monitor > Interval).
Note: The monitored IP address is configured at: Network > IPSec Tunnels > General Tab > Destination IP.
Environment
- PaloAlto Firewall
- PANOS- 9.1
- PANOS-10.1
- PANOS-10.2
- PANOS-11.0
Resolution
Details
To check if the tunnel monitoring is up or down, use the following command:
> show vpn flow
id name state monitor local-ip peer-ip tunnel-i/f
------------------------------------------------------------------------------------
1 tunnel-to-remote active up 10.66.24.94 10.66.24.95 tunnel.2
The above output shows that the monitor status is "up".
To verify the count of these pings use the show vpn flow tunnel-id <id> command.
For example:
> show vpn flow tunnel-id 1
tunnel tunnel-to-remote
id: 1
type: IPSec
gateway id: 1
local ip: 10.66.24.94
peer ip: 10.66.24.95
inner interface: tunnel.2
outer interface: ethernet1/3
state: active
session: 6443
tunnel mtu: 1436
lifetime remain: 2663 sec
latest rekey: 937 seconds ago
monitor: on
monitor status: up
monitor interval: 3 seconds
monitor threshold: 5 probe losses
monitor packets sent: 739180
monitor packets recv: 732283
monitor packets seen: 584
monitor packets reply: 584
en/decap context: 76
local spi: F18E58FF
remote spi: B90FCFB2
In the above output:
monitor packets sent - Number of pings sent
monitor packets recv - Number of replies received to the pings sent.
monitor packets seen - Number of monitor packets received from remote side querying for us.
monitor packets reply - Number of replies sent in response to "monitor packets seen". This will increment only if the requests were made to tunnel interface IP.
In order to see real-time run-time states for a particular tunnel, run the following command:
> show running tunnel flow tunnel-id 1 | match monitor
monitor: on
monitor status: up
monitor interval: 3 seconds
monitor threshold: 5 probe losses
monitor packets sent: 739180
monitor packets recv: 732283
monitor packets seen: 584
monitor packets reply: 584
If the monitor is "on" and monitor status is "down" for any reason, you can still view that "monitor packets sent" keeps incrementing but "monitor packets recv" is constant. Even if the tunnel is down and the monitor status is down, the "monitor packets sent" still sends pings at regular intervals.
Note: Whenever the tunnel goes down, the Palo Alto Networks firewall generates an event under system logs (severity is set to critical). Notifications are generated if an email alert profile is configured for critical logs. Please review the following document for more information: How to Configure Email Alerts for System Logs?
Additional Information
See Also
Dead Peer Detection and Tunnel Monitoring
CLI Commands to Status, Clear, Restore, and Monitor an IPSec VPN Tunnel