topic Re: tunnel monitor with VPN tunnel in passive mode in General Topics

tunnel monitor with VPN tunnel in passive mode

Carracido — Tue, 25 Feb 2020 17:56:57 GMT

Hello community,

Do you think if having tunnel monitor for an IPSec tunnel in passive mode makes any benefit?

When tunnel monitor detects tunnel down, the firewall would attempt to accelerate the recovery by negotiating new IPSec keys. If firewall in passive node it wouldn´t be able to initiate the negotiations from its side in order to reestablish the tunnel, am I right?

Thank you in advance!

Re: tunnel monitor with VPN tunnel in passive mode

BPry — Wed, 26 Feb 2020 03:13:47 GMT

@Carracido wrote:
If firewall in passive node it wouldn´t be able to initiate the negotiations from its side in order to reestablish the tunnel, am I right?

If the firewall is passive it doesn't even bring up it's tunnel interfaces, all of that is going to be handled by your active node.

Re: tunnel monitor with VPN tunnel in passive mode

aleksandar.astardzhiev — Wed, 26 Feb 2020 08:46:57 GMT

Hi @Carracido,

The passive member disabled it routing engine. That way the firewall is not able to initiate or response to any packet send to its dataplane interfaces. Think for the tunnel monitor the same way as the HA path-monitor.

- Both (tunnel monitor and path-monitor) as simple icmp ping packets generated by the FW waiting for response

- When the member is in passive mode it is not able to generate those ping packets so both monitors are inactive

Re: tunnel monitor with VPN tunnel in passive mode

Carracido — Wed, 26 Feb 2020 09:15:08 GMT

Thanks so much for your answers!

I have another question:

Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right?

Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor?

My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course)

Thank you in advance!

Re: tunnel monitor with VPN tunnel in passive mode

kgopichand — Sun, 01 Mar 2020 02:47:29 GMT

Q1 ) Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right?

Yes , tunnel monitor is Palo Alto Networks proprietary protocol.

Please see this link for more details.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK#:~:text=

Q2 ) Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor?

In essence , the goal of path monitoring and tunnel monitoring are the same , but there are some differences.

In Path Monitoring , If “all” or “any” of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.

There are two possible actions that can be taken if a monitored destination fails with tunnel monitoring.
1) Wait recover. Wait for the tunnel to recover; do not take additional action.
2) Failover.Traffic will fail over to a backup path, if one is available. The firewall uses routing table lookup to determine routing for the duration of this session.

Q) My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course)

The function of Path monitoring and Tunnel monitoring is not to keep the “tunnel up” .
It is used to just monitor if a destination is reachable or not.

If you still have any questions, please open a support ticket and one of us will help you.

Kavi