12-16-2020 05:35 AM
Hi @Ahmad_ElKilany ,
I want first to clarify something - The ICMP probes generated by the tunnel monitor are not passing through the flow module (as explained here).
Which measn:
- The ICMP probes are not passing through the security rules (no need to explicetly allow them)
- No route lookup is performed for those packets
- No logs are generated
- Packet capture cannot capture those packets.
@MoatasemMetwaly, @Ahmad_ElKilany , the whole purpose of the tunnel monitor is to logically mark the tunnel as not working even if the phases are up. So if you see phase1 and phase 2 green, but status is red, this means that the IPsec tunnel (and phase1 & 2 settings are correct), but for some reason the pings generated by the tunnel monitor are dropped and FW is not receiving replies.
I would suggest you to check my comments here - https://live.paloaltonetworks.com/t5/general-topics/fail-over-vpn-site-to-site/m-p/249792/highlight/...
But in summary - My experiance so far shows that in most cases the tunnel monitor fails, because it doesn't match the Proxy-ID/Interesting traffic/Encryption Domains. When you enable tunnel monitor, firewall will use the IP address assinged on the logical tunnel interface as source IP for the ping packet and destination the monitored IP you are using. After that it will send those packets over the tunnel (will encrypt them), however if the source and destination IP does not match the proxy-id the remote device will reject the pings and you end will not receive any reply - marking the tunnel as down.
So:
- Check if the source and destination IP of the probe packets are matching your proxy-id (if you are using any).
- Check what IP are you monitoring, are you pinging the remote peer IP - If I remember correctly long ago the different FW vendors were behaving differently for the traffic send/received to the IPsec tunnel peer IP (some vendors were automatically accepting traffic between peer IPs to be encrypted in the tunnel, but other not)
