I need to enable Tunnel Monitoring for S2S VPN between PA and Cisco ISR Router.
Since, we need to hide our local network behind one IP address given by client (172.x.x.x/32) so we have used that IP address as loopback interface.
There are 2 Tunnels to reach client's remote network and we are using Static route (Primary tunnel with Metric 9 and Secondary Tunnel with metric 10) for this.
Tunnel.1 and Tunnel.2 are configured with VR->Default and Security Zone->VPN without any IP address.
Proxy ID is configured with local address using the masked IP address (172.x.x.x/32) and customer LAN IP as remote address.
NAT is in place using SNAT like below.
Source Zone->Trust, Destination Zone->VPN, Source Address->our local network, Destination Address->Customer LAN IP/remote address.
Translation Type: DIPP, Interface Address->Loopback Interface, IP Address->172.x.x.x/32
I am not sure what IP address to use as Destination IP in Tunnel monitoring. I understand that this IP will be the one that PAN will ping to verify that tunnel is up. I tried using remote proxyID (customer LAN IP), loopback IP, our local network IP but this causes ping dropouts/request timed out. I tried enabling Tunnel Monitoring in both the Tunnels as well as only one of them (Primary/Secondary).
Any help/suggestion please?
Hi @Connected123 ,
Having monitoring enabled on the Primary interface only should fulfilled your use case. This is because secondary tunnel routes will always have higher metric and so will be in standby state. Now once Primary tunnel monitoring fails, in that case only traffic will use secondary tunnel. Also it will again failback to Primary once Primary tunnel monitoring is restored. So as per my understanding, having monitoring enabled on primary tunnel should be enough.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!