cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Tunnel Monitoring Setup issue

L2 Linker

Hello,

 

I need to enable Tunnel Monitoring for S2S VPN between PA and Cisco ISR Router.

Since, we need to hide our local network behind one IP address given by client (172.x.x.x/32) so we have used that IP address as loopback interface.

There are 2 Tunnels to reach client's remote network and we are using Static route (Primary tunnel with Metric 9 and Secondary Tunnel with metric 10) for this.

Tunnel.1 and Tunnel.2 are configured with VR->Default and Security Zone->VPN without any IP address.

Proxy ID is configured with local address using the masked IP address (172.x.x.x/32) and customer LAN IP as remote address.

NAT is in place using SNAT like below.

Original Packet:

Source Zone->Trust, Destination Zone->VPN, Source Address->our local network, Destination Address->Customer LAN IP/remote address.

Translated Packet:

Translation Type: DIPP, Interface Address->Loopback Interface, IP Address->172.x.x.x/32

 

I am not sure what IP address to use as Destination IP in Tunnel monitoring. I understand that this IP will be the one that PAN will ping to verify that tunnel is up. I tried using remote proxyID (customer LAN IP), loopback IP, our local network IP but this causes ping dropouts/request timed out. I tried enabling Tunnel Monitoring in both the Tunnels as well as only one of them (Primary/Secondary).

 

Any help/suggestion please?

 

 

Who rated this post