Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Ipsec down after enabled tunnel monitor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ipsec down after enabled tunnel monitor

L1 Bithead

I have tunnel ipsec site to site vpn after enabling tunnel monitor tunnel status is down although phase 1 and phase 2 are up.

Version 9.0.9-h1

5 REPLIES 5

L2 Linker

if both phases are still showing green ,the tunnel is actually up

 

how did you set the monitoring profile? have you tested pinging the remote IP for reachability before enabling tunnel monitoring?

 

double check if your security policy allows pinging the remote IP, double check if there is a need for additional routes or proxy-IDs for the remote IP, check if the IP is accepting ping (it may require a profile to be activated, or an ACL/security policy to be updated before you are able to ping it

@Thyrion Thanks for your reply

for the monitoring profile it configured as fail over

and we can reach the pear tunnel IP before enable tunnel monitor 

and there is a policy to allow ping 

but after enable  tunnel monitor  the status goes down with no reason

and when we try to ping the peer tunnel IP in this time the reply is Destination Host Unreachable

The 'fail-over' action will bring down the tunnel when the remote peer is unavailable

Do you have a backup tunnel to take over? If not, it is better to hold-wait, else the tunnel has no way of recovering from a fault

Hold-wait will also allow you to troubleshoot your tunnel monitor as it will not kill the tunnel

 

 

 

 

 

yes, I have a backup but I reach the peer when I disable the monitor when I enable it the peer is unreachable.

when I enable monitor, the peer unreachable but phase 1&2 green.

 

Hi @Ahmad_ElKilany ,

I want first to clarify something - The ICMP probes generated by the tunnel monitor are not passing through the flow module (as explained here).

Which measn:

- The ICMP probes are not passing through the security rules (no need to explicetly allow them)

- No route lookup is performed for those packets

- No logs are generated

- Packet capture cannot capture those packets.

 

@MoatasemMetwaly, @Ahmad_ElKilany , the whole purpose of the tunnel monitor is to logically mark the tunnel as not working even if the phases are up. So if you see phase1 and phase 2 green, but status is red, this means that the IPsec tunnel (and phase1 & 2 settings are correct), but for some reason the pings generated by the tunnel monitor are dropped and FW is not receiving replies.

 

I would suggest you to check my comments here - https://live.paloaltonetworks.com/t5/general-topics/fail-over-vpn-site-to-site/m-p/249792/highlight/...

But in summary - My experiance so far shows that in most cases the tunnel monitor fails, because it doesn't match the Proxy-ID/Interesting traffic/Encryption Domains. When you enable tunnel monitor, firewall will use the IP address assinged on the logical tunnel interface as source IP for the ping packet and destination the monitored IP you are using. After that it will send those packets over the tunnel (will encrypt them), however if the source and destination IP does not match the proxy-id the remote device will reject the pings and you end will not receive any reply - marking the tunnel as down.

 

So:

- Check if the source and destination IP of the probe packets are matching your proxy-id (if you are using any).

- Check what IP are you monitoring, are you pinging the remote peer IP  - If I remember correctly long ago the different FW vendors were behaving differently for the traffic send/received to the IPsec tunnel peer IP (some vendors were automatically accepting traffic between peer IPs to be encrypted in the tunnel, but other not)

  • 5299 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!