11-26-2021 10:36 AM - edited 11-26-2021 10:59 PM
Hi @GnContente ,
Tunnel monitoring works by pinging a destination address on the other side of the tunnel -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ip... Step 9, #2. So, rekeying child SAs will not cause the tunnel monitor to bring the tunnel down. The VPN does not drop during the rekeying process.
The PA does not store a log of the keys unless the debugging level is set to dump -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC. In general, logging IPsec keys is not a secure practice. The IPsec protocols use a very complicated process to generate secure keys in order not to be compromised -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/site-to-site-vpn-concepts/internet-k.... New keys are renegotiated are regular intervals to provide more security. So, I would never log the keys unless I needed to decrypt the traffic as described in the article.
Thanks,
Tom
11-26-2021 10:36 AM - edited 11-26-2021 10:59 PM
Hi @GnContente ,
Tunnel monitoring works by pinging a destination address on the other side of the tunnel -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ip... Step 9, #2. So, rekeying child SAs will not cause the tunnel monitor to bring the tunnel down. The VPN does not drop during the rekeying process.
The PA does not store a log of the keys unless the debugging level is set to dump -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC. In general, logging IPsec keys is not a secure practice. The IPsec protocols use a very complicated process to generate secure keys in order not to be compromised -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/site-to-site-vpn-concepts/internet-k.... New keys are renegotiated are regular intervals to provide more security. So, I would never log the keys unless I needed to decrypt the traffic as described in the article.
Thanks,
Tom
11-29-2021 08:09 AM
Hi @TomYoung
Thanks for your reply, i am just trying to understand if there is any relation with tunnel monitoring bringing the tunnel down due to rekeying, which according to your answer as noting to do with rekeying. Apart from the ping failure within the tunnel and no problems on the physical interface, i am just trying to understand what might had caused those ping failures that endup bringing the tunnel down. It would be nice to find some documentation that explains how the traffic is encapsulated.
11-29-2021 08:24 AM
Hi @GnContente ,
That is a very good question. If Tunnel Monitoring is configured with a Tunnel Monitoring Profile configured for Fail Over, then loss pings will bring the tunnel down. I had a customer that setup a VPN for a critical printer. He pinged the printer as part of his tunnel monitor configuration. The remote site powered off the printer, and the VPN went down! :-0 Or, the VPN could go down first resulting in the loss of pings.
The first place I would look is in the system logs to see why the VPN went down. The logs will indicate if tunnel monitoring brought the tunnel down or something else did.
Thanks,
Tom
11-29-2021 08:38 AM
Hi @TomYoung, it is what i am trying to figure out. In my case the system logs only state that the tunnel was down which i understand that it was due to tunnel monitoring. However there is no log before or after which can give me a clue to why it happen.
Regards
11-29-2021 08:43 AM
Hi @GnContente ,
That is strange. Usually the system log tells you why the tunnel went down in the Description column. It is possible it does not in this case. What exactly does the log say?
Thanks,
Tom
11-29-2021 08:55 AM
Hi @TomYoung
It is a bit late for that, the log has already been overwrittew. However if i recall the description was just saying that the tunnel was down.
thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
