https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24647#M17949 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We have an issue with one IPSec site-to-site tunnel. The PAN usually doesn't recognize when a tunnel is down. We can correct this by setting up monitors on all tunnels with a "wait-recover" action after 3 subsequent failures. This works for all tunnels except one:</P><P></P><P>&lt;please see tunnel config in attachments - for an unknown reason I cannot embed images with Google Chrome&gt;</P><P></P><P>The special thing about this tunnel is the Proxy ID containing two public IP subnets. In order for communication to work correctly, we had to add a Source-NAT rule so that all traffic destined for 222.222.222.248/30 would be source-NATed to 111.111.111.214 before sent out of tunnel.8000 interface.</P><P></P><P>With this setup, we can ping the IP address 222.222.222.249 without any problem. But it looks like the firewall itself can not. We assume that self-generated pings might use a different processing chain than other packets and might not get source-NATed. Anyhow, the problem is that the tunnel monitor pinging 222.222.222.249 times out after x subsequent failures and re-initializes the tunnel. This is pretty annoying.</P><P></P><P>Does anyone have an idea what we could do to setup a proper monitor for such a tunnel? Your help is much appreciated.</P><P></P><P>Thanks,</P><P>Oliver</P></BODY></HTML> Tue, 04 Dec 2012 17:36:13 GMT oschuler 2012-12-04T17:36:13Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24647#M17949 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We have an issue with one IPSec site-to-site tunnel. The PAN usually doesn't recognize when a tunnel is down. We can correct this by setting up monitors on all tunnels with a "wait-recover" action after 3 subsequent failures. This works for all tunnels except one:</P><P></P><P>&lt;please see tunnel config in attachments - for an unknown reason I cannot embed images with Google Chrome&gt;</P><P></P><P>The special thing about this tunnel is the Proxy ID containing two public IP subnets. In order for communication to work correctly, we had to add a Source-NAT rule so that all traffic destined for 222.222.222.248/30 would be source-NATed to 111.111.111.214 before sent out of tunnel.8000 interface.</P><P></P><P>With this setup, we can ping the IP address 222.222.222.249 without any problem. But it looks like the firewall itself can not. We assume that self-generated pings might use a different processing chain than other packets and might not get source-NATed. Anyhow, the problem is that the tunnel monitor pinging 222.222.222.249 times out after x subsequent failures and re-initializes the tunnel. This is pretty annoying.</P><P></P><P>Does anyone have an idea what we could do to setup a proper monitor for such a tunnel? Your help is much appreciated.</P><P></P><P>Thanks,</P><P>Oliver</P></BODY></HTML> Tue, 04 Dec 2012 17:36:13 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24647#M17949 oschuler 2012-12-04T17:36:13Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24648#M17950 <HTML><HEAD></HEAD><BODY><P>Anyone any idea?</P></BODY></HTML> Mon, 10 Dec 2012 20:10:31 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24648#M17950 oschuler 2012-12-10T20:10:31Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24649#M17951 <HTML><HEAD></HEAD><BODY><P>Place IP address on the tunnel interfaces on both end (i.e. 192.168.1.0/30, 192.168.1.1 on one side and 192.168.1.2 on the other side) and monitor the IP address on the other tunnel interface (i.e. 192.168.1.1 would monitor 192.168.1.2 and visa versa).&nbsp; The 192.168.1.0/30 is a directly connected route.</P></BODY></HTML> Fri, 01 Nov 2013 14:26:38 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-ipsec-tunnel-monitor/m-p/24649#M17951 JimS2 2013-11-01T14:26:38Z