IPSEC-Tunnel Monitoring "tunnel-status-down"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC-Tunnel Monitoring "tunnel-status-down"

I`ve created some IPSEC-Tunnel .

Now I try to monitor the connection using "Tunnel Monitor" option.

During the commit off the configration to the applince I'll see in System - LOG:   

example:

     10/10 11:26:52 vpn; informational;  tunnel-status-up; VPN_TEST:t_test; Tunnel VPN_Test:t_test is up

some seconds later

     10/10/11:27:03 vpn; low; tunnel-status-down; VPN_TEST:t_test; Tunnel VPN_Test:t_test is down

Later I never can see, any  "monitor status is up" - message again,  but the ipsec-tunnel is working well.

Has anybody a the same problem resoved yet?

Annotation:

The asscociated interface "tunnel.x" has a valid IP adress, the tunnel endpoint also.

From CLI  a ping to the tunnel endpoint-IP with sourceaddress of the tunnel.x - interface works fine.

          ping source 172.20.49.8 host 172.20.22.1

1 accepted solution

Accepted Solutions

L4 Transporter

There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.

- Stefan

View solution in original post

8 REPLIES 8

L6 Presenter

Are you saying that this issue only took place upon a commit and that the tunnel is consistently staying up? What PANOS are you running?

also: what hardware platform are you using?

-Benjamin


I  running PanOS 4.05 on Hardware PA2050.

The tunnel works fine all the time. The problem is only in using the monitoring feature.

The feature checks the health of the remote system. If the threshold(number of pings missed) is met, the PAdevice will tear down the local tunnel, clearing the SA's and will force an IKE rekey event. Are you not seeing this in the syslogs?

L4 Transporter

There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.

- Stefan

Could it be that this bug is back in OS 4.1.6? We're also having problems with some VPN tunnels.

We have around 20 VPN tunnels configured with tunnel monitoring on most of them. For two tunnels we had to disable the monitoring feature because these tunnels got re-keyed constantly (every 30 seconds). The monitor is configured with 10 sec interval and 3 retries.

Some debugging-hours later we are sure that the remote firewall gets the ping packets and send a reply. Why the PA firewall doesn't recognize/process this ping reply - we don't know. The VPN settings are the same, on both ends (IP and PSK vary of course). Any ideas how we can further troubleshoot the issue on the PA device? I didn't found much documentation on monitor debugging...

Regards,

Oliver

By the way, is rkalugdan's answer really correct that the monitor will delete the SA's ? The following doc tells another story: https://live.paloaltonetworks.com/docs/DOC-2826

I think I found the reason for the constant re-keying. The two tunnels mentioned have two Proxy IDs configured:

PA-ProxyIDs.png

If we remove the 2nd entry the tunnel monitoring seems to work just fine...

I'm wondering if this bug came back in 5.0.2 also...  I've got a fully meshed vpn network of 5 PA's that are connected on fiber as well as broadband.   Everything works and is pingable, with the exception of two of the sites are unable to ping each other on the inside tunnel IP address.  I get a constant rekey every couple of seconds.  Disabling monitor causes the tunnel to stay up and remain stable.

  • 1 accepted solution
  • 10212 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!