topic Re: IPSEC-Tunnel Monitoring "tunnel-status-down" in General Topics

IPSEC-Tunnel Monitoring "tunnel-status-down"

rainer.kranz@sab.sachsen.de — Mon, 10 Oct 2011 09:52:05 GMT

I`ve created some IPSEC-Tunnel .

Now I try to monitor the connection using "Tunnel Monitor" option.

During the commit off the configration to the applince I'll see in System - LOG:

example:

10/10 11:26:52 vpn; informational; tunnel-status-up; VPN_TEST:t_test; Tunnel VPN_Test:t_test is up

some seconds later

10/10/11:27:03 vpn; low; tunnel-status-down; VPN_TEST:t_test; Tunnel VPN_Test:t_test is down

Later I never can see, any "monitor status is up" - message again, but the ipsec-tunnel is working well.

Has anybody a the same problem resoved yet?

Annotation:

The asscociated interface "tunnel.x" has a valid IP adress, the tunnel endpoint also.

From CLI a ping to the tunnel endpoint-IP with sourceaddress of the tunnel.x - interface works fine.

ping source 172.20.49.8 host 172.20.22.1

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

gswcowboy — Mon, 10 Oct 2011 17:32:50 GMT

Are you saying that this issue only took place upon a commit and that the tunnel is consistently staying up? What PANOS are you running?

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

bpappas — Mon, 10 Oct 2011 21:01:10 GMT

also: what hardware platform are you using?

-Benjamin

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

rainer.kranz@sab.sachsen.de — Tue, 11 Oct 2011 07:29:20 GMT

I running PanOS 4.05 on Hardware PA2050.

The tunnel works fine all the time. The problem is only in using the monitoring feature.

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

gswcowboy — Tue, 11 Oct 2011 17:13:54 GMT

The feature checks the health of the remote system. If the threshold(number of pings missed) is met, the PAdevice will tear down the local tunnel, clearing the SA's and will force an IKE rekey event. Are you not seeing this in the syslogs?

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

sspringer — Wed, 12 Oct 2011 07:13:53 GMT

There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.

- Stefan

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

oschuler — Tue, 14 Aug 2012 14:33:33 GMT

Could it be that this bug is back in OS 4.1.6? We're also having problems with some VPN tunnels.

We have around 20 VPN tunnels configured with tunnel monitoring on most of them. For two tunnels we had to disable the monitoring feature because these tunnels got re-keyed constantly (every 30 seconds). The monitor is configured with 10 sec interval and 3 retries.

Some debugging-hours later we are sure that the remote firewall gets the ping packets and send a reply. Why the PA firewall doesn't recognize/process this ping reply - we don't know. The VPN settings are the same, on both ends (IP and PSK vary of course). Any ideas how we can further troubleshoot the issue on the PA device? I didn't found much documentation on monitor debugging...

Regards,

Oliver

By the way, is rkalugdan's answer really correct that the monitor will delete the SA's ? The following doc tells another story: https://live.paloaltonetworks.com/docs/DOC-2826

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

oschuler — Thu, 16 Aug 2012 11:19:03 GMT

I think I found the reason for the constant re-keying. The two tunnels mentioned have two Proxy IDs configured:

If we remove the 2nd entry the tunnel monitoring seems to work just fine...

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

rkramer — Mon, 04 Feb 2013 15:36:45 GMT

I'm wondering if this bug came back in 5.0.2 also... I've got a fully meshed vpn network of 5 PA's that are connected on fiber as well as broadband. Everything works and is pingable, with the exception of two of the sites are unable to ping each other on the inside tunnel IP address. I get a constant rekey every couple of seconds. Disabling monitor causes the tunnel to stay up and remain stable.