01-20-2015 07:56 AM
- I am having issues with LSVPN and some drops to the tunnels. I have a half dozen sites rolled out with LSVPN. Hub is on 6.05H6 or something like that and satellites are on 6.1.0. I am having multiple drops a day for most sites with the following error Event ID satd-tun-mon-down. I also have many more standard IPSec tunnels about 70 and these tunnels do not drop. Both IPSec and LSVPN have the same Gateway IP entering the Hub. I am not seeing any ping drops to that Gateway IP from anywhere. The tunnel drops are a few seconds at most but for certain applications this is a show stopper. The drops do not seem to coincide with the Lifetime expiration initiated reconnects.
- The Event Description is 'Tunnel monitoring failed on tunnel interface:tunnel.1 to GatewayXXX.XXX.XXX.XXX due to Gateway not available'. I am wondering if that is really the Gateway IP being down from the site or just the tunnel monitor is dropping because it can't reach the internal monitor IP. I am using the Hub's private tunnel interface IP to monitor.
- The results for all satellites running command show global-protect-satellite current-gateway is basically the same as below. Monitor Status shows No data available which seems incorrect or at least fishy.
Tunnel Monitor Enabled : Yes
Tunnel Monitor Interval : 2 seconds
Tunnel Monitor Action : fail-over
Tunnel Monitor Threshold : 3 attempts
Tunnel Monitor Source : 172.19.249.162
Tunnel Monitor Destination : 172.19.249.129
Tunnel Monitor Status : No data available
- One more thing is that with the IPSec tunnels and tunnel monitoring, an IP address is required on the tunnel interfaces themselves. I did not add one as I believe with LSVPN, the tunnel interface receives its IP from the Hub Gateway/Portal. Please advise if this is correct. I would assume we would not get any monitor response nor an up status if it didn't work without a static IP but it's worth clarifying.
Saw this post but it just shows a couple commands steps but not much detail
