tunnel monitor with VPN tunnel in passive mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

tunnel monitor with VPN tunnel in passive mode

L3 Networker

Hello community,

 

Do you think if having tunnel monitor for an IPSec tunnel in passive mode makes any benefit?

 

When tunnel monitor detects tunnel down, the firewall would attempt to accelerate the recovery by negotiating new IPSec keys. If firewall in passive node it wouldn´t be able to initiate the negotiations from its side in order to reestablish the tunnel, am I right?

 

Thank you in advance!

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@Carracido wrote:

If firewall in passive node it wouldn´t be able to initiate the negotiations from its side in order to reestablish the tunnel, am I right?

 


If the firewall is passive it doesn't even bring up it's tunnel interfaces, all of that is going to be handled by your active node. 

Hi @Carracido,

 

The passive member disabled it routing engine. That way the firewall is not able to initiate or response to any packet send to its dataplane interfaces. Think for the tunnel monitor the same way as the HA path-monitor.

- Both (tunnel monitor and path-monitor) as simple icmp ping packets generated by the FW waiting for response

- When the member is in passive mode it is not able to generate those ping packets so both monitors are inactive

L3 Networker

Thanks so much for your answers!

 

I have another question:

Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right?

 

Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor? 

My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course)

 

 

Thank you in advance!

Q1 ) Tunnel monitor is Palo Alto proprietary and as far as I know it should be use between Palo Alto peers to work optimally, am I right?

Yes , tunnel monitor is Palo Alto Networks proprietary protocol.

Please see this link for more details.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFaCAK#:~:text=

Q2 ) Considering this if having a VPN between Palo Alto device and another vendor device, would path monitoring for a static route work similar than tunnel monitor?


In essence , the goal of path monitoring and tunnel monitoring are the same , but there are some differences.


In Path Monitoring , If “all” or “any” of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.


There are two possible actions that can be taken if a monitored destination fails with tunnel monitoring.
1) Wait recover. Wait for the tunnel to recover; do not take additional action.
2) Failover.Traffic will fail over to a backup path, if one is available. The firewall uses routing table lookup to determine routing for the duration of this session.

 

Q) My idea is that sourcing the path-monitoring pings from the tunnel IP to remote peer´s IP could keep the tunnel up like tunnel monitoring does. (Not having the firewall in passive mode of course)


The function of Path monitoring and Tunnel monitoring is not to keep the “tunnel up” .
It is used to just monitor if a destination is reachable or not.

 

If you still have any questions, please open a support ticket and one of us will help you.

Kavi

 

  • 4854 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!