This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Ipsec down after enabled tunnel monitor
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Ipsec down after enabled tunnel monitor
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Ipsec down after enabled tunnel monitor
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-15-2020 04:48 AM
I have tunnel ipsec site to site vpn after enabling tunnel monitor tunnel status is down although phase 1 and phase 2 are up.
Version 9.0.9-h1
6 REPLIES 6
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-15-2020 11:07 AM
if both phases are still showing green ,the tunnel is actually up
how did you set the monitoring profile? have you tested pinging the remote IP for reachability before enabling tunnel monitoring?
double check if your security policy allows pinging the remote IP, double check if there is a need for additional routes or proxy-IDs for the remote IP, check if the IP is accepting ping (it may require a profile to be activated, or an ACL/security policy to be updated before you are able to ping it
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-15-2020 12:04 PM
@Thyrion Thanks for your reply
for the monitoring profile it configured as fail over
and we can reach the pear tunnel IP before enable tunnel monitor
and there is a policy to allow ping
but after enable tunnel monitor the status goes down with no reason
and when we try to ping the peer tunnel IP in this time the reply is Destination Host Unreachable
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-15-2020 12:33 PM
The 'fail-over' action will bring down the tunnel when the remote peer is unavailable
Do you have a backup tunnel to take over? If not, it is better to hold-wait, else the tunnel has no way of recovering from a fault
Hold-wait will also allow you to troubleshoot your tunnel monitor as it will not kill the tunnel
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-16-2020 12:23 AM
yes, I have a backup but I reach the peer when I disable the monitor when I enable it the peer is unreachable.
when I enable monitor, the peer unreachable but phase 1&2 green.
Related Content
- After enabling Advanced Routing, all IPsec tunnels are down in Next-Generation Firewall Discussions
- Internal/External Gateway User-id in GlobalProtect Discussions
- IKE phase 1 not working in General Topics
- GP installation issues in GlobalProtect Discussions
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks