if both phases are still showing green ,the tunnel is actually up
how did you set the monitoring profile? have you tested pinging the remote IP for reachability before enabling tunnel monitoring?
double check if your security policy allows pinging the remote IP, double check if there is a need for additional routes or proxy-IDs for the remote IP, check if the IP is accepting ping (it may require a profile to be activated, or an ACL/security policy to be updated before you are able to ping it
@Thyrion Thanks for your reply
for the monitoring profile it configured as fail over
and we can reach the pear tunnel IP before enable tunnel monitor
and there is a policy to allow ping
but after enable tunnel monitor the status goes down with no reason
and when we try to ping the peer tunnel IP in this time the reply is Destination Host Unreachable
The 'fail-over' action will bring down the tunnel when the remote peer is unavailable
Do you have a backup tunnel to take over? If not, it is better to hold-wait, else the tunnel has no way of recovering from a fault
Hold-wait will also allow you to troubleshoot your tunnel monitor as it will not kill the tunnel
Hi @Ahmad_ElKilany ,
I want first to clarify something - The ICMP probes generated by the tunnel monitor are not passing through the flow module (as explained here).
- The ICMP probes are not passing through the security rules (no need to explicetly allow them)
- No route lookup is performed for those packets
- No logs are generated
- Packet capture cannot capture those packets.
@MoatasemMetwaly, @Ahmad_ElKilany , the whole purpose of the tunnel monitor is to logically mark the tunnel as not working even if the phases are up. So if you see phase1 and phase 2 green, but status is red, this means that the IPsec tunnel (and phase1 & 2 settings are correct), but for some reason the pings generated by the tunnel monitor are dropped and FW is not receiving replies.
I would suggest you to check my comments here - https://live.paloaltonetworks.com/t5/general-topics/fail-over-vpn-site-to-site/m-p/249792/highlight/...
But in summary - My experiance so far shows that in most cases the tunnel monitor fails, because it doesn't match the Proxy-ID/Interesting traffic/Encryption Domains. When you enable tunnel monitor, firewall will use the IP address assinged on the logical tunnel interface as source IP for the ping packet and destination the monitored IP you are using. After that it will send those packets over the tunnel (will encrypt them), however if the source and destination IP does not match the proxy-id the remote device will reject the pings and you end will not receive any reply - marking the tunnel as down.
- Check if the source and destination IP of the probe packets are matching your proxy-id (if you are using any).
- Check what IP are you monitoring, are you pinging the remote peer IP - If I remember correctly long ago the different FW vendors were behaving differently for the traffic send/received to the IPsec tunnel peer IP (some vendors were automatically accepting traffic between peer IPs to be encrypted in the tunnel, but other not)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!