04-29-2021 05:52 AM
The ipsec-tunnel comes up only when there is interesting traffic destined to the tunnel or when the tunnel manually initiated.
That leads to problems in our monitoring. I'd like to ask if there is a workaround to make the VPN always-up without need to enable tunnel monitoring. Because tunnel-monitoring must verify connectivity to an IP address from the other side to determine if the tunnel is still usable. That means this IP must be reachable and allowed on the firewall from the other side.
04-29-2021 06:18 AM
Hello
The tunnel monitoring was developed to keep the tunnel up by pinging an IP on the remote side. I do not understand your request for a workaround on a solution that was put into place, for the specific requirement you asked about.
04-29-2021 08:17 AM - edited 04-29-2021 08:18 AM
Hi @aabozaid
1)Assign an IP address to the tunnel interface ( an IP from the local or trust subnet of PA )
2) Create a Dummy pbf like source Trust zone source address any IP , destination 169.254.16.17 with monitoring enabled and monitor an IP address from the remote subnet
It s not mandatory that remote IP should respond to ping.
Expected result .
Pbf with monitoring always initiate a ping traffic through the tunnel resulting your tunnel will be always up.
Thanks,
Ram
04-29-2021 03:48 PM
you can set up a ping on any internal host that continuously pings through the tunnel, but setting up tunnel monitor will be much more reliable
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
