Tunnel monitoring using internal src to external dst?

mike406 · ‎01-24-2019

Is it possible to monitor VPN tunnels using an internal source IP on my tunnel interface and the external IP of the other system? I won't always have control/access to the other side of the tunnel, I may only know the local subnet(s) and the external IP.

OtakarKlier · ‎01-25-2019

Hello,

The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.

Does this help?

View solution in original post

reaper · ‎01-25-2019

if you 'number' all your tunnels (set a /30 subnet ip on each end) you can simply monitor the remote tunnel interface

reaper - PANgurus.com
I drink and I know things

mike406 · ‎01-25-2019

I don't follow you. I don't have access to each end, I only have access to my end. I know the external IP and the local subnets of the other end. The other end is generally not a PA firewall.

Can you give an example of what should be set for IPsec Tunnel -> Tunnel Monitor -> Destination IP ?

OtakarKlier · ‎01-25-2019

Hello,

The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.

Does this help?

View solution in original post

mike406 · ‎01-25-2019

Okay, I've got it figured out. I also see the tunnel-status-up and tunnel-status-down messages in the system logs.

Are there any plans to add a GUI indicator for tunnel monitoring status?

OtakarKlier · ‎01-25-2019

Already have one Network Tab-> IPSec Tunnels

mike406 · ‎01-25-2019

That doesn't show monitoring status...the tunnel may be up, but monitoring might be in a down state because of a changed IP address (for example).

Tunnel monitoring using internal src to external dst?