I'm trying to monitor the availability of one tunnel, to re-route the same destination traffic into a second tunnel. The other side can't do routing protocols right now--which would solve this easily. I hoped to find a non-manual way to fail over.
I read in a discussion that the SOURCE IP and destination IP have to be in a single network. The documentation didn't mention this. If that is true, essentially this is designed to test a basic /30 circuit or a "can I see my default gateway?" test. And really nothing more. Calling a zero-hop distance (same broadcast domain) a "path" monitor is stretching the word path. Routing Gateway Monitor is more appropriate. Also the documentation (copied below) says you can have eight destinations. Having that many without being able to go beyond the gateway... really limits this to ... testing my two ISPs, or three ISPs and there are so many other ways that gets accomplished in the real world.
Obviously none of the REMOTE IPs of a typical VPN between corporations are going to be in the same local subnet as any IP I can assign to my firewall. Cisco's DMVPN is structured to simulate a subnet between all the ipsec endpoints.
So I'm not sure if there is anything in the PA's features that would let me manipulate routes without a routing protocol. I have a second route with a lower admin cost. But it doesn't work like Cisco where a route pointed to an interface(the tunnel) becomes invalid when the interface is down.
Looking at the Admin guide, it talks about Static Route Removal using Path Monitoring, and the IP address does not appear to be in the same network.
Alternatively, if you monitor the tunnel IP, then that IP can be whatever you want it to be.
The interesting thing about that graphic... which seems to reflect exactly what I want to do.... is that the Eth ports of the firewall don't disclose the mask, and the destinations being monitored are all within a class C. 192.0.2.xx So I can't say that others i the LIVEcommunity are incorrect when they've written that they must be in a single subnet.
My reality is that when I try to enter a SOURCE IP in the dialog box, it only accepts two things:
The DHCP option in the Dropdown,
OR create a NEW X VARIABLE
I could create multiple VARIABLES all pointing to a single loopback as a source... but that seems like one wrong on top of another wrong. It would not let me create one VARIABLE with the FWs loopback and re-use that in multiple monitors. It refused to allow me to use the same variable twice. (Frankly, I've never used variables, so my understanding there is weak.)
The documentation for removing static routes with Path Monitoring says enter an IP or name an Interface. It won't accept any IPs or any interfaces. Even an IP within the Route isn't accepted. Destination IP I can put any IP. 18.104.22.168 or 22.214.171.124 doesn't matter what it is. But source I can't get it to accept anything that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!