- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-26-2021 09:12 PM
Hello,
I need to enable Tunnel Monitoring for S2S VPN between PA and Cisco ISR Router.
Since, we need to hide our local network behind one IP address given by client (172.x.x.x/32) so we have used that IP address as loopback interface.
There are 2 Tunnels to reach client's remote network and we are using Static route (Primary tunnel with Metric 9 and Secondary Tunnel with metric 10) for this.
Tunnel.1 and Tunnel.2 are configured with VR->Default and Security Zone->VPN without any IP address.
Proxy ID is configured with local address using the masked IP address (172.x.x.x/32) and customer LAN IP as remote address.
NAT is in place using SNAT like below.
Original Packet:
Source Zone->Trust, Destination Zone->VPN, Source Address->our local network, Destination Address->Customer LAN IP/remote address.
Translated Packet:
Translation Type: DIPP, Interface Address->Loopback Interface, IP Address->172.x.x.x/32
I am not sure what IP address to use as Destination IP in Tunnel monitoring. I understand that this IP will be the one that PAN will ping to verify that tunnel is up. I tried using remote proxyID (customer LAN IP), loopback IP, our local network IP but this causes ping dropouts/request timed out. I tried enabling Tunnel Monitoring in both the Tunnels as well as only one of them (Primary/Secondary).
Any help/suggestion please?