Tunnel monitoring between plao alto and policy based cisco vpn

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tunnel monitoring between plao alto and policy based cisco vpn

L1 Bithead

I am thinking about possibility of doing a tunnel monitoring from palo alto to cisco route vpn which is configured in policy based mode.

Do palo alto supports below configuration to do so.

1. Set up /32 IP in tunnel interface of palo alto

2. Configure tunnel monitoring to Peer IP of peer cisco.

Do this work?

7 REPLIES 7

Cyber Elite
Cyber Elite

Good Day

 

Yes the PANW supports tunnel monitoring to monitor the remote side of the tunnel. 
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel...

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Cyber Elite
Cyber Elite

Hi @Aaida ,

 

As @S.Cantwell said, it will work.  With regard to your second point, the "Peer IP" should not be the public IP address of the Cisco, but rather an IP address that is routed over the VPN, preferable a device that will never be turned off.

 

What is your intended purpose of tunnel monitoring, to keep the tunnel up or something else?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello Tom,

 

My intention is to monitor tunnel and auto failover.  So if we monitor peer Ip of cisco, we can achieve auto failover right 

Cyber Elite
Cyber Elite

Hi @Aaida ,

 

Excellent.  Yes, you can set the Tunneling Monitoring Profile to Fail Over, and when the IP is unreachable, it will shut down the tunnel interface and remove the routes to the tunnel.  You will need to have an alternative path, another VPN tunnel or something.

 

Please stop saying "monitor peer IP."  It sounds like you are talking about the public VPN peer IP address.  That is not how it works.  You need to monitor an IP address reachable via the VPN tunnel.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you so much Tom, so what about routers internal interface ip,  we can monitor that right

Cyber Elite
Cyber Elite

Yes, sir!

Help the community: Like helpful comments and mark solutions.

Thanks @TomYoung @S.Cantwell  for your help.

  • 2617 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!