Ipsec down after enabled tunnel monitor

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ipsec down after enabled tunnel monitor

L1 Bithead

I have tunnel ipsec site to site vpn after enabling tunnel monitor tunnel status is down although phase 1 and phase 2 are up.

Version 9.0.9-h1


L0 Member

I was perusing a portion of your substance on this site and I imagine this web webpage is truly enlightening.





Hi @Ahmad_ElKilany ,

I want first to clarify something - The ICMP probes generated by the tunnel monitor are not passing through the flow module (as explained here).

Which measn:

- The ICMP probes are not passing through the security rules (no need to explicetly allow them)

- No route lookup is performed for those packets

- No logs are generated

- Packet capture cannot capture those packets.


@MoatasemMetwaly, @Ahmad_ElKilany , the whole purpose of the tunnel monitor is to logically mark the tunnel as not working even if the phases are up. So if you see phase1 and phase 2 green, but status is red, this means that the IPsec tunnel (and phase1 & 2 settings are correct), but for some reason the pings generated by the tunnel monitor are dropped and FW is not receiving replies.


I would suggest you to check my comments here - https://live.paloaltonetworks.com/t5/general-topics/fail-over-vpn-site-to-site/m-p/249792/highlight/...

But in summary - My experiance so far shows that in most cases the tunnel monitor fails, because it doesn't match the Proxy-ID/Interesting traffic/Encryption Domains. When you enable tunnel monitor, firewall will use the IP address assinged on the logical tunnel interface as source IP for the ping packet and destination the monitored IP you are using. After that it will send those packets over the tunnel (will encrypt them), however if the source and destination IP does not match the proxy-id the remote device will reject the pings and you end will not receive any reply - marking the tunnel as down.



- Check if the source and destination IP of the probe packets are matching your proxy-id (if you are using any).

- Check what IP are you monitoring, are you pinging the remote peer IP  - If I remember correctly long ago the different FW vendors were behaving differently for the traffic send/received to the IPsec tunnel peer IP (some vendors were automatically accepting traffic between peer IPs to be encrypted in the tunnel, but other not)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!