Monitoring SD-WAN Tunnel-IF via ping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monitoring SD-WAN Tunnel-IF via ping

L1 Bithead

Hi Guys,

We're looking to connect multiple Palo Alto devices to our core Palo Alto via SD-WAN. In some cases, we have three internet connections at the customer site, each connected through a different ISP.

Our goal is to monitor each tunnel by pinging the destination tunnel interface IP address from our Monitoring Tool throught our Core Palo Alto and displaying the results in our monitoring tool. Unfortunately, this doesn’t work because the core Palo Alto doesn’t have the destination IP address in its routing table.

However, if we ping directly from the core Palo Alto using the source IP address of the corresponding tunnel interface, the ping works.

Does anyone have an explanation for this?

DHenze_0-1731336658860.png

I know, the Panorama is monitoring the sd-wan connections too 🙂

Thanks and best regards,
Dirk

 

4 REPLIES 4

L3 Networker

Hello @D.Henze 

Based on the images you provided, I have observed the following behavior:

  • You are able to successfully ping the IP on the destination tunnel because you are using an IP within the same zone. Both IPs, as shown in the images, belong to the "zone-to-branch" zone and share the same network.

  • However, when you attempt to ping with the IP 10.1.0.X, it appears that this IP belongs to a different zone and does not have a route to reach 172.17.5.204. As a result, the traffic is being sent through the untrust zone.

Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the "zone-to-branch" zone when attempting to reach the IP 172.17.5.204.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

L1 Bithead

Hi Jpomachagua,

Thank you very much for your input!

You are absolutely right. I have now configured a PBF rule to route traffic destined for 172.17.5.204 via the tunnel.910 interface. With this setup, I am able to reach the IP address using ping.

DHenze_0-1732122947538.png

 

17:49:42: Without PBF
17:54:12: With PBF

However, I’ve encountered an problem for me: If I understand correctly, I would need to configure a separate PBF rule for each destination tunnel interface. Additionally, I’m concerned that the IP addresses of the tunnel interfaces might change after a reboot on the hub, or spoke side, which could complicate things further.

Could you clarify what you mean exactly by the following statement?

"Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the 'zone-to-branch' zone when attempting to reach the IP 172.17.5.204."

In the PBF configuration, I can only specify a destination address, application, and service, as well as an egress interface to forward the traffic. There doesn’t seem to be an option to select a destination zone.
Regards

L1 Bithead

Sorry, I had forgotten to add the PBF

DHenze_0-1732180947952.png

 

L3 Networker

Hello @D.Henze 

 

You don't have to set up the zone on the PBF. Once you send the traffic through the right tunnel, it will go through the right zone. In your situation, here's what I suggest:

  • Set up 3 PBFs, one for each ISP connection, to make sure the traffic to the server goes through the correct tunnel.
  • Arrange the PBF policies in the order you need, keeping in mind that the policy at the top will be the one that matches the traffic, while the others won't work for this traffic.
  • Set up path monitoring with the option "Disable this rule if the next hop/monitor IP is unreachable" for the first two PBF policies.

This way, the traffic will go to tunnel 1. If it fails, the traffic will switch to tunnel 2, and if that fails too, then it will go to tunnel 3. Let me know if you have any issues with this setup.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.
  • 438 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!