Hello, We have an issue with one IPSec site-to-site tunnel. The PAN usually doesn't recognize when a tunnel is down. We can correct this by setting up monitors on all tunnels with a "wait-recover" action after 3 subsequent failures. This works for all tunnels except one: <please see tunnel config in attachments - for an unknown reason I cannot embed images with Google Chrome> The special thing about this tunnel is the Proxy ID containing two public IP subnets. In order for communication to work correctly, we had to add a Source-NAT rule so that all traffic destined for 222.222.222.248/30 would be source-NATed to 111.111.111.214 before sent out of tunnel.8000 interface. With this setup, we can ping the IP address 222.222.222.249 without any problem. But it looks like the firewall itself can not. We assume that self-generated pings might use a different processing chain than other packets and might not get source-NATed. Anyhow, the problem is that the tunnel monitor pinging 222.222.222.249 times out after x subsequent failures and re-initializes the tunnel. This is pretty annoying. Does anyone have an idea what we could do to setup a proper monitor for such a tunnel? Your help is much appreciated. Thanks, Oliver
... View more