- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-02-2019 02:32 AM
We have configured Tunnel Monitor for IPSEC VPN to monitor IP Peer side server.
My query is I dont see ping packet intiated by tunnel interface towards destination IP on firewall logs.
Though in show vpn tunnel-flow id I can see monitor packets sent incrementing
does source packet gets encrypted inside tunnel ?
08-02-2019 04:39 AM - edited 08-02-2019 05:50 AM
Hi,
Do you see an increment in the received packet counter? This KB explains very well expected behaviour:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloYCAS
Traffic will be encrypted for sure, so only ESP should be visible in the traffic log, however, this is FW's own traffic (initiated by the device) so l am not 100% sure if it will be logged.
Ensure monitored host responds to the ICMP from the remote subnet (in our case FW's tunnel interface IP)
Thx,
Myky
08-06-2019 05:15 AM
IN attached KB it says we need to allow ICMP between Tunnel Interface and Remote IP ( Tunnel Monitor IP ) if Peer device is not Palo alto.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR3CAK
That does say to me traffic is not getting encrypted inside tunnel ?
But strange that is I dont see ICMP packets in traffic monitor so it contradicts for KB say
08-06-2019 05:56 AM
All traffic will be encrypted inside the tunnel. Get the PCAP from the server side, check for ICMP traffic and if it arrives, ensure your server responses to the requests.
08-07-2019 11:23 PM
peer side is Azure we cannot run pcap there
08-08-2019 12:07 AM
You should be able to run the PCAP on the actual server.
08-09-2019 12:21 AM
Hi @fatboy1607,
- ICMP packets generated by tunnel monitor are not logged
- Packet capture on the firewall cannot capture those packets
- The only way to see if tunnel monitor is sending and receiving (if receiving) packets is via the comman you already know > show vpn tunnel-flow id
The ping packets generated by tunnel monitor ARE definately encrypted and send try the tunnel, that is the whole point of the tunnel monitor, to see if both phases of the IPsec tunnel are up and actual traffic can pass through it.
The common reason for your tunnel monitor to show down is - proxy id. If your tunnel is using multiple proxy id, tunnel monitor will fail. For more details see my comment in the following post - Fail-over VPN site-to-site
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!