This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Satellite to Hub LSVPN Monitoring And/Or Connectivity

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Satellite to Hub LSVPN Monitoring And/Or Connectivity

dusk2dusk
L1 Bithead

‎01-20-2015 07:56 AM

- I am having issues with LSVPN and some drops to the tunnels.  I have a half dozen sites rolled out with LSVPN.  Hub is on 6.05H6 or something like that and satellites are on 6.1.0.  I am having multiple drops a day for most sites with the following error Event ID satd-tun-mon-down.  I also have many more standard IPSec tunnels about 70 and these tunnels do not drop.  Both IPSec and LSVPN have the same Gateway IP entering the Hub.  I am not seeing any ping drops to that Gateway IP from anywhere.  The tunnel drops are a few seconds at most but for certain applications this is a show stopper.  The drops do not seem to coincide with the Lifetime expiration initiated reconnects.  


- The Event Description is 'Tunnel monitoring failed on tunnel interface:tunnel.1 to GatewayXXX.XXX.XXX.XXX due to Gateway not available'.  I am wondering if that is really the Gateway IP being down from the site or just the tunnel monitor is dropping because it can't reach the internal monitor IP.  I am using the Hub's private tunnel interface IP to monitor. 


- The results for all satellites running command show global-protect-satellite current-gateway is basically the same as below.  Monitor Status shows No data available which seems incorrect or at least fishy.


        Tunnel Monitor Enabled           : Yes

        Tunnel Monitor Interval          : 2 seconds

        Tunnel Monitor Action            : fail-over

        Tunnel Monitor Threshold         : 3 attempts

        Tunnel Monitor Source            : 172.19.249.162

        Tunnel Monitor Destination       : 172.19.249.129

        Tunnel Monitor Status           : No data available

- One more thing is that with the IPSec tunnels and tunnel monitoring, an IP address is required on the tunnel interfaces themselves.  I did not add one as I believe with LSVPN, the tunnel interface receives its IP from the Hub Gateway/Portal.  Please advise if this is correct.  I would assume we would not get any monitor response nor an up status if it didn't work without a static IP but it's worth clarifying. 

Saw this post but it just shows a couple commands steps but not much detail 

Intermittent tunnel down between HUB and satellite

3 people had this problem.
0 Likes Likes
0 REPLIES 0
  • 2262 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks