Commit Failure While Configuring Tunnel Monitor
Symptom
On the Palo Alto Networks firewall, there were problems configuring the Tunnel Monitor. The firewall is throwing a commit error while applying the change. When committing the configuration, the following error appears:
"IPSec tunnel "tunnel-name" enabled tunnel monitoring while binding to tunnel interface "tunnel-id" which has no IP address assigned to it yet. configuration is invalid."
Environment
- Palo Alto Firewall.
- IPSec VPN configured with tunnel monitoring.
- PAN-OS 7.1 and above.
Cause
The Tunnel Interface needs an IP address in order to enable Tunnel Monitoring.
If the IPSec Tunnel is configured as the scenario shows below, notice the tunnel interface does not have an IP address it will give an error. The Tunnel Monitor needs to be enabled so that the IPSec tunnel always remains up. It can also be used for redundant VPN scenario.
The Tunnel Monitor can be configured from the WebGUI, go to Network > IPSEC Tunnels, click Add and give the VPN a name and select Show Advanced Options:
Resolution
The Tunnel Monitor uses PING packets to monitor the VPN tunnel connectivity sourced from the Tunnel Interface IP. So, it is mandatory to configure tunnel IP when configuring tunnel monitor.
Go to Network > Interfaces > Tunnels > (select configured tunnel Interface)> IPv4, click Add and enter an IP address. A dummy IP address (not used anywhere in the network) can be used to configure the tunnel interface, as shown below:
Additional Information
See Also
For more options to configure Tunnel Monitor, refer to the following document: Selecting an IP Address to use for PBF or Tunnel Monitoring