topic Re: Ipsec down after enabled tunnel monitor in General Topics

Ipsec down after enabled tunnel monitor

Ahmad_ElKilany — Tue, 15 Dec 2020 12:48:34 GMT

I have tunnel ipsec site to site vpn after enabling tunnel monitor tunnel status is down although phase 1 and phase 2 are up.

Version 9.0.9-h1

Re: Ipsec down after enabled tunnel monitor

Thyrion — Tue, 15 Dec 2020 19:07:22 GMT

if both phases are still showing green ,the tunnel is actually up

how did you set the monitoring profile? have you tested pinging the remote IP for reachability before enabling tunnel monitoring?

double check if your security policy allows pinging the remote IP, double check if there is a need for additional routes or proxy-IDs for the remote IP, check if the IP is accepting ping (it may require a profile to be activated, or an ACL/security policy to be updated before you are able to ping it

Re: Ipsec down after enabled tunnel monitor

MoatasemMetwaly — Tue, 15 Dec 2020 20:04:04 GMT

@Thyrion Thanks for your reply

for the monitoring profile it configured as fail over

and we can reach the pear tunnel IP before enable tunnel monitor

and there is a policy to allow ping

but after enable tunnel monitor the status goes down with no reason

and when we try to ping the peer tunnel IP in this time the reply is Destination Host Unreachable

Re: Ipsec down after enabled tunnel monitor

Thyrion — Tue, 15 Dec 2020 20:33:08 GMT

The 'fail-over' action will bring down the tunnel when the remote peer is unavailable

Do you have a backup tunnel to take over? If not, it is better to hold-wait, else the tunnel has no way of recovering from a fault

Hold-wait will also allow you to troubleshoot your tunnel monitor as it will not kill the tunnel

Re: Ipsec down after enabled tunnel monitor

Ahmad_ElKilany — Wed, 16 Dec 2020 08:23:56 GMT

yes, I have a backup but I reach the peer when I disable the monitor when I enable it the peer is unreachable.

when I enable monitor, the peer unreachable but phase 1&2 green.

Re: Ipsec down after enabled tunnel monitor

aleksandar.astardzhiev — Wed, 16 Dec 2020 13:35:30 GMT

Hi @Ahmad_ElKilany ,

I want first to clarify something - The ICMP probes generated by the tunnel monitor are not passing through the flow module (as explained here).

Which measn:

- The ICMP probes are not passing through the security rules (no need to explicetly allow them)

- No route lookup is performed for those packets

- No logs are generated

- Packet capture cannot capture those packets.

@MoatasemMetwaly, @Ahmad_ElKilany , the whole purpose of the tunnel monitor is to logically mark the tunnel as not working even if the phases are up. So if you see phase1 and phase 2 green, but status is red, this means that the IPsec tunnel (and phase1 & 2 settings are correct), but for some reason the pings generated by the tunnel monitor are dropped and FW is not receiving replies.

I would suggest you to check my comments here - https://live.paloaltonetworks.com/t5/general-topics/fail-over-vpn-site-to-site/m-p/249792/highlight/true#M71033

But in summary - My experiance so far shows that in most cases the tunnel monitor fails, because it doesn't match the Proxy-ID/Interesting traffic/Encryption Domains. When you enable tunnel monitor, firewall will use the IP address assinged on the logical tunnel interface as source IP for the ping packet and destination the monitored IP you are using. After that it will send those packets over the tunnel (will encrypt them), however if the source and destination IP does not match the proxy-id the remote device will reject the pings and you end will not receive any reply - marking the tunnel as down.

So:

- Check if the source and destination IP of the probe packets are matching your proxy-id (if you are using any).

- Check what IP are you monitoring, are you pinging the remote peer IP - If I remember correctly long ago the different FW vendors were behaving differently for the traffic send/received to the IPsec tunnel peer IP (some vendors were automatically accepting traffic between peer IPs to be encrypted in the tunnel, but other not)