IPSEC-Tunnel Monitoring "tunnel-status-down"

Reply

IPSEC-Tunnel Monitoring "tunnel-status-down"

I`ve created some IPSEC-Tunnel .

Now I try to monitor the connection using "Tunnel Monitor" option.

During the commit off the configration to the applince I'll see in System - LOG:   

example:

     10/10 11:26:52 vpn; informational;  tunnel-status-up; VPN_TEST:t_test; Tunnel VPN_Test:t_test is up

some seconds later

     10/10/11:27:03 vpn; low; tunnel-status-down; VPN_TEST:t_test; Tunnel VPN_Test:t_test is down

Later I never can see, any  "monitor status is up" - message again,  but the ipsec-tunnel is working well.

Has anybody a the same problem resoved yet?

Annotation:

The asscociated interface "tunnel.x" has a valid IP adress, the tunnel endpoint also.

From CLI  a ping to the tunnel endpoint-IP with sourceaddress of the tunnel.x - interface works fine.

          ping source 172.20.49.8 host 172.20.22.1

L6 Presenter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

Are you saying that this issue only took place upon a commit and that the tunnel is consistently staying up? What PANOS are you running?

L6 Presenter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

also: what hardware platform are you using?

-Benjamin

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"


I  running PanOS 4.05 on Hardware PA2050.

The tunnel works fine all the time. The problem is only in using the monitoring feature.

L6 Presenter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

The feature checks the health of the remote system. If the threshold(number of pings missed) is met, the PAdevice will tear down the local tunnel, clearing the SA's and will force an IKE rekey event. Are you not seeing this in the syslogs?

L4 Transporter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.

- Stefan

L4 Transporter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

Could it be that this bug is back in OS 4.1.6? We're also having problems with some VPN tunnels.

We have around 20 VPN tunnels configured with tunnel monitoring on most of them. For two tunnels we had to disable the monitoring feature because these tunnels got re-keyed constantly (every 30 seconds). The monitor is configured with 10 sec interval and 3 retries.

Some debugging-hours later we are sure that the remote firewall gets the ping packets and send a reply. Why the PA firewall doesn't recognize/process this ping reply - we don't know. The VPN settings are the same, on both ends (IP and PSK vary of course). Any ideas how we can further troubleshoot the issue on the PA device? I didn't found much documentation on monitor debugging...

Regards,

Oliver

By the way, is rkalugdan's answer really correct that the monitor will delete the SA's ? The following doc tells another story: https://live.paloaltonetworks.com/docs/DOC-2826

L4 Transporter

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

I think I found the reason for the constant re-keying. The two tunnels mentioned have two Proxy IDs configured:

PA-ProxyIDs.png

If we remove the 2nd entry the tunnel monitoring seems to work just fine...

Highlighted
L1 Bithead

Re: IPSEC-Tunnel Monitoring "tunnel-status-down"

I'm wondering if this bug came back in 5.0.2 also...  I've got a fully meshed vpn network of 5 PA's that are connected on fiber as well as broadband.   Everything works and is pingable, with the exception of two of the sites are unable to ping each other on the inside tunnel IP address.  I get a constant rekey every couple of seconds.  Disabling monitor causes the tunnel to stay up and remain stable.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!