I've seen a couple answers here about using Path Monitoring in Virtual Wire. They say that one must use an IP address within the Virtual Wire subnet as the source address. OK, I get that. What I don't get is how to configure such an address. I don't see a way to add an address to a vwire interface. I've tried creating a loopback with no good result. Also gave vlan a shot, but that didn't look promising either. Thanks for any help.
Device -> High Availability -> Path Monitoring -> Path Group -> Add Virtual Wire has the option to add Source and Destination address. I am also working on similar monitoring where I would like to monitor device beyond connected device. I am still not sure how the routing would though. I have a case open with support with not much progress.
How about configuring a L3 interface on PA and connecting it to the network providing a reachability to the Monitored Dest.
Excerpt from Admin guide : 5.0
Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.
: L3 interface configuration is what suggested by our SE. The support talked about having src and dst ip in the subnet. That doesn't make any sense when you want to monitor devices beyond connected one. Have you tried this by yourself? Unfortunately I don't have an environment to play with and before touching the production devices, I wanted to make sure that I can plan ready for configuration and testing. I am running 4.x code. Do I need to have a combination of virtual wire and virtual router in the path monitoring config? Can you provide me more details?
Here is what my scenario is (apologies @gmparis for hijacking thread). Internet -> Internet router -> public switch -> Untrust firewall -> Untrust PAN -> Trust PAN -> DMZ switch. I can monitor dmz switch and trust interface of firewall using link monitoring and is working fine. I want to monitor the untrust firewall to pub switch connectivity. Here is what I understood.
- Connect new interface on PAN to dmz switch
- Configure L3 interface with trust side subnet of firewall
- Configure path monitoring with newly added interface? How do I add destination ip? I dont see any option to use single interface under path monitoring.
No problem about the hijacking, @vwaghmar. Thanks for answering my question. I was trying to test the path monitoring using ping before configuring it into HA. That apparently can't be made to work, but isn't necessary. Just putting the source address into the vwire path monitoring config is all that's needed. I was making it harder than it had to be.
Good luck with your layer-3 issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!