topic Re: IPSEC VPN tunnel monotor showing down in General Topics

IPSEC VPN tunnel monotor showing down

fatboy1607 — Fri, 02 Aug 2019 09:32:18 GMT

We have configured Tunnel Monitor for IPSEC VPN to monitor IP Peer side server.

My query is I dont see ping packet intiated by tunnel interface towards destination IP on firewall logs.

Though in show vpn tunnel-flow id I can see monitor packets sent incrementing

does source packet gets encrypted inside tunnel ?

Re: IPSEC VPN tunnel monotor showing down

myky — Fri, 02 Aug 2019 12:50:21 GMT

Hi,

Do you see an increment in the received packet counter? This KB explains very well expected behaviour:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloYCAS

Traffic will be encrypted for sure, so only ESP should be visible in the traffic log, however, this is FW's own traffic (initiated by the device) so l am not 100% sure if it will be logged.

Ensure monitored host responds to the ICMP from the remote subnet (in our case FW's tunnel interface IP)

Thx,

Myky

Re: IPSEC VPN tunnel monotor showing down

fatboy1607 — Tue, 06 Aug 2019 12:15:55 GMT

IN attached KB it says we need to allow ICMP between Tunnel Interface and Remote IP ( Tunnel Monitor IP ) if Peer device is not Palo alto.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR3CAK

That does say to me traffic is not getting encrypted inside tunnel ?

But strange that is I dont see ICMP packets in traffic monitor so it contradicts for KB say

Re: IPSEC VPN tunnel monotor showing down

myky — Tue, 06 Aug 2019 12:56:35 GMT

All traffic will be encrypted inside the tunnel. Get the PCAP from the server side, check for ICMP traffic and if it arrives, ensure your server responses to the requests.

Re: IPSEC VPN tunnel monotor showing down

fatboy1607 — Thu, 08 Aug 2019 06:23:48 GMT

peer side is Azure we cannot run pcap there

Re: IPSEC VPN tunnel monotor showing down

myky — Thu, 08 Aug 2019 07:07:50 GMT

You should be able to run the PCAP on the actual server.

Re: IPSEC VPN tunnel monotor showing down

aleksandar.astardzhiev — Fri, 09 Aug 2019 07:21:21 GMT

Hi @fatboy1607,

- ICMP packets generated by tunnel monitor are not logged

- Packet capture on the firewall cannot capture those packets

- The only way to see if tunnel monitor is sending and receiving (if receiving) packets is via the comman you already know > show vpn tunnel-flow id

The ping packets generated by tunnel monitor ARE definately encrypted and send try the tunnel, that is the whole point of the tunnel monitor, to see if both phases of the IPsec tunnel are up and actual traffic can pass through it.

The common reason for your tunnel monitor to show down is - proxy id. If your tunnel is using multiple proxy id, tunnel monitor will fail. For more details see my comment in the following post - Fail-over VPN site-to-site