Tunnel Monitoring Setup issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tunnel Monitoring Setup issue

L2 Linker

Hello,

 

I need to enable Tunnel Monitoring for S2S VPN between PA and Cisco ISR Router.

Since, we need to hide our local network behind one IP address given by client (172.x.x.x/32) so we have used that IP address as loopback interface.

There are 2 Tunnels to reach client's remote network and we are using Static route (Primary tunnel with Metric 9 and Secondary Tunnel with metric 10) for this.

Tunnel.1 and Tunnel.2 are configured with VR->Default and Security Zone->VPN without any IP address.

Proxy ID is configured with local address using the masked IP address (172.x.x.x/32) and customer LAN IP as remote address.

NAT is in place using SNAT like below.

Original Packet:

Source Zone->Trust, Destination Zone->VPN, Source Address->our local network, Destination Address->Customer LAN IP/remote address.

Translated Packet:

Translation Type: DIPP, Interface Address->Loopback Interface, IP Address->172.x.x.x/32

 

I am not sure what IP address to use as Destination IP in Tunnel monitoring. I understand that this IP will be the one that PAN will ping to verify that tunnel is up. I tried using remote proxyID (customer LAN IP), loopback IP, our local network IP but this causes ping dropouts/request timed out. I tried enabling Tunnel Monitoring in both the Tunnels as well as only one of them (Primary/Secondary).

 

Any help/suggestion please?

 

 

11 REPLIES 11

Cyber Elite
Cyber Elite

Hi @Connected123 ,

 

Having monitoring enabled on the Primary interface only should fulfilled your use case. This is because secondary tunnel routes will always have higher metric and so will be in standby state. Now once Primary tunnel monitoring fails, in that case only traffic will use secondary tunnel. Also it will again failback to Primary once Primary tunnel monitoring is restored. So as per my understanding, having monitoring enabled on primary tunnel should be enough.

Mayur

Thank you so much @SutareMayur for all your responses.

You helped me a lot from the beginning to the end of S2S setup.

Really appreciate for taking your time out and answering my questions.

Closing off this thread now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!