This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Monitoring SD-WAN Tunnel-IF via ping

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Monitoring SD-WAN Tunnel-IF via ping

D.Henze
L1 Bithead

‎11-11-2024 06:52 AM

Hi Guys,

We're looking to connect multiple Palo Alto devices to our core Palo Alto via SD-WAN. In some cases, we have three internet connections at the customer site, each connected through a different ISP.

Our goal is to monitor each tunnel by pinging the destination tunnel interface IP address from our Monitoring Tool throught our Core Palo Alto and displaying the results in our monitoring tool. Unfortunately, this doesn’t work because the core Palo Alto doesn’t have the destination IP address in its routing table.

However, if we ping directly from the core Palo Alto using the source IP address of the corresponding tunnel interface, the ping works.

Does anyone have an explanation for this?

DHenze_0-1731336658860.png

I know, the Panorama is monitoring the sd-wan connections too 🙂

Thanks and best regards,
Dirk

 

4 REPLIES 4

jpomachagua
L3 Networker

‎11-18-2024 01:25 PM

Hello @D.Henze 

Based on the images you provided, I have observed the following behavior:

  • You are able to successfully ping the IP on the destination tunnel because you are using an IP within the same zone. Both IPs, as shown in the images, belong to the "zone-to-branch" zone and share the same network.

  • However, when you attempt to ping with the IP 10.1.0.X, it appears that this IP belongs to a different zone and does not have a route to reach 172.17.5.204. As a result, the traffic is being sent through the untrust zone.

Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the "zone-to-branch" zone when attempting to reach the IP 172.17.5.204.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.
(1)

D.Henze
L1 Bithead

‎11-20-2024 09:16 AM

Hi Jpomachagua,

Thank you very much for your input!

You are absolutely right. I have now configured a PBF rule to route traffic destined for 172.17.5.204 via the tunnel.910 interface. With this setup, I am able to reach the IP address using ping.

DHenze_0-1732122947538.png

 

17:49:42: Without PBF
17:54:12: With PBF

However, I’ve encountered an problem for me: If I understand correctly, I would need to configure a separate PBF rule for each destination tunnel interface. Additionally, I’m concerned that the IP addresses of the tunnel interfaces might change after a reboot on the hub, or spoke side, which could complicate things further.

Could you clarify what you mean exactly by the following statement?

"Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the 'zone-to-branch' zone when attempting to reach the IP 172.17.5.204."

In the PBF configuration, I can only specify a destination address, application, and service, as well as an egress interface to forward the traffic. There doesn’t seem to be an option to select a destination zone.
Regards

0 Likes Likes

D.Henze
L1 Bithead

‎11-21-2024 01:23 AM

Sorry, I had forgotten to add the PBF

DHenze_0-1732180947952.png

 

0 Likes Likes

jpomachagua
L3 Networker

‎11-21-2024 08:20 AM

Hello @D.Henze 

 

You don't have to set up the zone on the PBF. Once you send the traffic through the right tunnel, it will go through the right zone. In your situation, here's what I suggest:

  • Set up 3 PBFs, one for each ISP connection, to make sure the traffic to the server goes through the correct tunnel.
  • Arrange the PBF policies in the order you need, keeping in mind that the policy at the top will be the one that matches the traffic, while the others won't work for this traffic.
  • Set up path monitoring with the option "Disable this rule if the next hop/monitor IP is unreachable" for the first two PBF policies.

This way, the traffic will go to tunnel 1. If it fails, the traffic will switch to tunnel 2, and if that fails too, then it will go to tunnel 3. Let me know if you have any issues with this setup.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.
0 Likes Likes
  • 218 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks