topic Re: Path Monitor... source IP must be within the same subnet as destination? in General Topics

Path Monitor... source IP must be within the same subnet as destination?

Royalfr — Fri, 25 Oct 2019 13:50:50 GMT

I'm trying to monitor the availability of one tunnel, to re-route the same destination traffic into a second tunnel. The other side can't do routing protocols right now--which would solve this easily. I hoped to find a non-manual way to fail over.

I read in a discussion that the SOURCE IP and destination IP have to be in a single network. The documentation didn't mention this. If that is true, essentially this is designed to test a basic /30 circuit or a "can I see my default gateway?" test. And really nothing more. Calling a zero-hop distance (same broadcast domain) a "path" monitor is stretching the word path. Routing Gateway Monitor is more appropriate. Also the documentation (copied below) says you can have eight destinations. Having that many without being able to go beyond the gateway... really limits this to ... testing my two ISPs, or three ISPs and there are so many other ways that gets accomplished in the real world.

Obviously none of the REMOTE IPs of a typical VPN between corporations are going to be in the same local subnet as any IP I can assign to my firewall. Cisco's DMVPN is structured to simulate a subnet between all the ipsec endpoints.

So I'm not sure if there is anything in the PA's features that would let me manipulate routes without a routing protocol. I have a second route with a lower admin cost. But it doesn't work like Cisco where a route pointed to an interface(the tunnel) becomes invalid when the interface is down.

Add a monitored destination by Name.
You can add up to eight monitored destinations per static route.
For Source IP, select the IP address that the firewall uses in the ICMP ping to the monitored destination:
If you select an interface, the firewall uses the first IP address assigned to the interface by default. If the interface has multiple IP addresses, select one.
If you select DHCP (Use DHCP Client address), the firewall uses the address that DHCP assigned to the interface.

Re: Path Monitor... source IP must be within the same subnet as destination?

jdelio — Fri, 25 Oct 2019 16:39:45 GMT

Looking at the Admin guide, it talks about Static Route Removal using Path Monitoring, and the IP address does not appear to be in the same network.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html#id8e1a8449-a208-4631-b3d3-34457d03f8cb

Alternatively, if you monitor the tunnel IP, then that IP can be whatever you want it to be.

Re: Path Monitor... source IP must be within the same subnet as destination?

Royalfr — Fri, 25 Oct 2019 18:18:55 GMT

The interesting thing about that graphic... which seems to reflect exactly what I want to do.... is that the Eth ports of the firewall don't disclose the mask, and the destinations being monitored are all within a class C. 192.0.2.xx So I can't say that others i the LIVEcommunity are incorrect when they've written that they must be in a single subnet.

My reality is that when I try to enter a SOURCE IP in the dialog box, it only accepts two things:

The DHCP option in the Dropdown,

OR create a NEW X VARIABLE
I could create multiple VARIABLES all pointing to a single loopback as a source... but that seems like one wrong on top of another wrong. It would not let me create one VARIABLE with the FWs loopback and re-use that in multiple monitors. It refused to allow me to use the same variable twice. (Frankly, I've never used variables, so my understanding there is weak.)

The documentation for removing static routes with Path Monitoring says enter an IP or name an Interface. It won't accept any IPs or any interfaces. Even an IP within the Route isn't accepted. Destination IP I can put any IP. 1.1.1.1 or 20.200.200.200 doesn't matter what it is. But source I can't get it to accept anything that makes sense.