IPSEC VPN tunnel monotor showing down

Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC VPN tunnel monotor showing down

L4 Transporter

We have configured Tunnel Monitor for IPSEC VPN to monitor IP Peer side server.


My query is I dont see ping packet intiated by tunnel interface towards destination IP on firewall logs.


Though in show vpn tunnel-flow id I can see monitor packets sent incrementing


does source packet gets encrypted inside tunnel ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

L3 Networker



Do you see an increment in the received packet counter? This KB explains very well expected behaviour:


Traffic will be encrypted for sure, so only ESP should be visible in the traffic log, however, this is FW's own traffic (initiated by the device) so l am not 100% sure if it will be logged. 

Ensure monitored host responds to the ICMP from the remote subnet (in our case FW's tunnel interface IP)




IN attached KB it says we need to allow ICMP between Tunnel Interface and Remote IP ( Tunnel Monitor IP ) if Peer device is not Palo alto.




That does say to me traffic is not getting encrypted inside tunnel ?


But strange that is I dont see ICMP packets in traffic monitor so it contradicts for KB say

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

All traffic will be encrypted inside the tunnel. Get the PCAP from the server side, check for ICMP traffic and if it arrives, ensure your server responses to the requests.

peer side is Azure we cannot run pcap there

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

You should be able to run the PCAP on the actual server.

Hi @fatboy1607,


- ICMP packets generated by tunnel monitor are not logged

- Packet capture on the firewall cannot capture those packets

- The only way to see if tunnel monitor is sending and receiving (if receiving) packets is via the comman you already know > show vpn tunnel-flow id

The ping packets generated by tunnel monitor ARE definately encrypted and send try the tunnel, that is the whole point of the tunnel monitor, to see if both phases of the IPsec tunnel are up and actual traffic can pass through it.


The common reason for your tunnel monitor to show down is - proxy id. If your tunnel is using multiple proxy id, tunnel monitor will fail. For more details see my comment in the following post - Fail-over VPN site-to-site

  • 6 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!