https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/528228#M799 <P>Setting up a path monitor on a static route where source is a tunnel interface.&nbsp;</P> <P>I am able to ping from CLI with tunnel interface IP as source. But the route does not get installed.</P> <P>&nbsp;</P> <P>ping source 10.0.0.1 host 4.2.2.2<BR />PING 4.2.2.2 (4.2.2.2) from 10.0.0.1 : 56(84) bytes of data.<BR />64 bytes from 4.2.2.2: icmp_seq=280 ttl=57 time=21.4 ms<BR />64 bytes from 4.2.2.2: icmp_seq=281 ttl=57 time=21.3 ms<BR />64 bytes from 4.2.2.2: icmp_seq=282 ttl=57 time=21.5 ms</P> <P>&nbsp;</P> <P>Remote side is Azure and doesn't support tunnel interface with an IP. And I don't want to rely on any single Azure resource IP which might get deleted by someone else&nbsp; bringing tunnel down.</P> <P>&nbsp;</P> <P>With static route I would be able to use multiple remote IP's for monitoring.</P> <P>And I need to monitor it so I can remove associated routes so traffic transfers to 2nd tunnel using another internet link</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 558px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47346i5DBDA53728D185EB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Mon, 23 Jan 2023 20:42:16 GMT raji_toor 2023-01-23T20:42:16Z https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/528228#M799 <P>Setting up a path monitor on a static route where source is a tunnel interface.&nbsp;</P> <P>I am able to ping from CLI with tunnel interface IP as source. But the route does not get installed.</P> <P>&nbsp;</P> <P>ping source 10.0.0.1 host 4.2.2.2<BR />PING 4.2.2.2 (4.2.2.2) from 10.0.0.1 : 56(84) bytes of data.<BR />64 bytes from 4.2.2.2: icmp_seq=280 ttl=57 time=21.4 ms<BR />64 bytes from 4.2.2.2: icmp_seq=281 ttl=57 time=21.3 ms<BR />64 bytes from 4.2.2.2: icmp_seq=282 ttl=57 time=21.5 ms</P> <P>&nbsp;</P> <P>Remote side is Azure and doesn't support tunnel interface with an IP. And I don't want to rely on any single Azure resource IP which might get deleted by someone else&nbsp; bringing tunnel down.</P> <P>&nbsp;</P> <P>With static route I would be able to use multiple remote IP's for monitoring.</P> <P>And I need to monitor it so I can remove associated routes so traffic transfers to 2nd tunnel using another internet link</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 558px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47346i5DBDA53728D185EB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Mon, 23 Jan 2023 20:42:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/528228#M799 raji_toor 2023-01-23T20:42:16Z https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/528241#M800 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>&nbsp;</P> <P>&nbsp;</P> <P>With the All condition you are saying that when there is no connectivity to 172.19.252. "and" 4.2.2.2.2.</P> <P>&nbsp;</P> <P>Now the best recommendation is to ping at least 2 or 3 IPs from the other end. If the other end cannot place an IP on its tunnel interface, there is no problem, as long as that IP is allowed through the tunnel, i.e. through the interesting traffic of the IPSEC tunnel, there will be no problem if only from your source you ping the IP that you assign to your tunnel that is allowed in the tunnel.</P> <P>&nbsp;</P> <P>Now if you have a route with metric 10 and with a path-monitoring, the idea is that when this failure condition occurs, the route will be removed from the FIB and the route will be added, the route to the same destination, but with metric 30 for example, will take the place.</P> <P>&nbsp;</P> <P>Best regards</P> Mon, 23 Jan 2023 23:37:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/528241#M800 Metgatz 2023-01-23T23:37:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/529347#M833 <P>My mistake was I was not trying to ping IP on the other end of the tunnel. Instead just pinging a public IP. I was thinking if internet is down tunnel is down anyways.&nbsp;Pinging an IP across the tunnel within Azure works.&nbsp;</P> Tue, 31 Jan 2023 18:58:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/path-monitor-setup-using-tunnel-interface/m-p/529347#M833 raji_toor 2023-01-31T18:58:45Z