Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-10-2011 02:52 AM
I`ve created some IPSEC-Tunnel .
Now I try to monitor the connection using "Tunnel Monitor" option.
During the commit off the configration to the applince I'll see in System - LOG:
example:
10/10 11:26:52 vpn; informational; tunnel-status-up; VPN_TEST:t_test; Tunnel VPN_Test:t_test is up
some seconds later
10/10/11:27:03 vpn; low; tunnel-status-down; VPN_TEST:t_test; Tunnel VPN_Test:t_test is down
Later I never can see, any "monitor status is up" - message again, but the ipsec-tunnel is working well.
Has anybody a the same problem resoved yet?
Annotation:
The asscociated interface "tunnel.x" has a valid IP adress, the tunnel endpoint also.
From CLI a ping to the tunnel endpoint-IP with sourceaddress of the tunnel.x - interface works fine.
ping source 172.20.49.8 host 172.20.22.1
10-12-2011 12:13 AM
There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.
- Stefan
10-10-2011 10:32 AM
Are you saying that this issue only took place upon a commit and that the tunnel is consistently staying up? What PANOS are you running?
10-10-2011 02:01 PM
also: what hardware platform are you using?
-Benjamin
10-11-2011 12:29 AM
I running PanOS 4.05 on Hardware PA2050.
The tunnel works fine all the time. The problem is only in using the monitoring feature.
10-11-2011 10:13 AM
The feature checks the health of the remote system. If the threshold(number of pings missed) is met, the PAdevice will tear down the local tunnel, clearing the SA's and will force an IKE rekey event. Are you not seeing this in the syslogs?
10-12-2011 12:13 AM
There has been a bug identified in 4.0.5 in which the tunnel monitor packets do not get sent over the tunnel properly. This causes the VPN tunnel monitor to improperly report the tunnel as down and will keep trying to rekey the tunnel. Currently the only workaround in 4.0.5 is to disable tunnel monitoring or downgrade to 4.0.4. *Correction* This will be fixed in 4.0.7.
- Stefan
08-14-2012 07:33 AM
Could it be that this bug is back in OS 4.1.6? We're also having problems with some VPN tunnels.
We have around 20 VPN tunnels configured with tunnel monitoring on most of them. For two tunnels we had to disable the monitoring feature because these tunnels got re-keyed constantly (every 30 seconds). The monitor is configured with 10 sec interval and 3 retries.
Some debugging-hours later we are sure that the remote firewall gets the ping packets and send a reply. Why the PA firewall doesn't recognize/process this ping reply - we don't know. The VPN settings are the same, on both ends (IP and PSK vary of course). Any ideas how we can further troubleshoot the issue on the PA device? I didn't found much documentation on monitor debugging...
Regards,
Oliver
By the way, is rkalugdan's answer really correct that the monitor will delete the SA's ? The following doc tells another story: https://live.paloaltonetworks.com/docs/DOC-2826
08-16-2012 04:19 AM
I think I found the reason for the constant re-keying. The two tunnels mentioned have two Proxy IDs configured:
If we remove the 2nd entry the tunnel monitoring seems to work just fine...
02-04-2013 07:36 AM
I'm wondering if this bug came back in 5.0.2 also... I've got a fully meshed vpn network of 5 PA's that are connected on fiber as well as broadband. Everything works and is pingable, with the exception of two of the sites are unable to ping each other on the inside tunnel IP address. I get a constant rekey every couple of seconds. Disabling monitor causes the tunnel to stay up and remain stable.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
