12-04-2012 09:36 AM
Hello,
We have an issue with one IPSec site-to-site tunnel. The PAN usually doesn't recognize when a tunnel is down. We can correct this by setting up monitors on all tunnels with a "wait-recover" action after 3 subsequent failures. This works for all tunnels except one:
<please see tunnel config in attachments - for an unknown reason I cannot embed images with Google Chrome>
The special thing about this tunnel is the Proxy ID containing two public IP subnets. In order for communication to work correctly, we had to add a Source-NAT rule so that all traffic destined for 222.222.222.248/30 would be source-NATed to 111.111.111.214 before sent out of tunnel.8000 interface.
With this setup, we can ping the IP address 222.222.222.249 without any problem. But it looks like the firewall itself can not. We assume that self-generated pings might use a different processing chain than other packets and might not get source-NATed. Anyhow, the problem is that the tunnel monitor pinging 222.222.222.249 times out after x subsequent failures and re-initializes the tunnel. This is pretty annoying.
Does anyone have an idea what we could do to setup a proper monitor for such a tunnel? Your help is much appreciated.
Thanks,
Oliver
11-01-2013 07:26 AM
Place IP address on the tunnel interfaces on both end (i.e. 192.168.1.0/30, 192.168.1.1 on one side and 192.168.1.2 on the other side) and monitor the IP address on the other tunnel interface (i.e. 192.168.1.1 would monitor 192.168.1.2 and visa versa). The 192.168.1.0/30 is a directly connected route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
