Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Which Logs are Generated When a Monitor Detects Tunnel is Down/... - Knowledge Base - Palo Alto Networks

Which Logs are Generated When a Monitor Detects Tunnel is Down/Up?

67844
Created On 09/26/18 13:47 PM - Last Modified 04/20/20 23:38 PM


Symptom


The Tunnel Monitor feature is a very useful feature for checking a connection to an IP address situated behind the tunnel. This feature can be used to do an automatic failover to another interface, if needed. Or it can continuously send pings through the tunnel so it keeps it alive even if there is no real user traffic.

Resolution


When a monitored IP appears down, the system log: "tunnel-status-down" is created.

The message shown below is from a VPN and contains the name of the tunnel that went down. The message also has an info or critical level of severity, so if there is a need for a notification to be created through email or an external syslog server, forward the informational/critical level of messages.

User-added image

From the CLI command see the following output:


admin@PA-3250> show log system direction equal backward subtype equal vpn eventid equal "tunnel-status-down"

Time                Severity Subtype Object EventID ID Description
===============================================================================
2019/04/05 08:12:23 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/05 08:02:07 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/05 07:59:34 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/05 07:47:12 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/05 07:39:20 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/03 08:24:42 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/04/03 08:16:43 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down


When a monitored IP comes back up in the system log, "tunnel-status-up" is created.

The message below is from a VPN and contains the name of the tunnel that came up. The message also has an info or critical level of severity so if there is a need for a notification to be created through email or an external syslog server, forward the informational/critical level of messages.

 

User-added image
User-added image

From the CLI command below, see the following output:


admin@PA-3250> show log system direction equal backward subtype equal vpn eventid equal "tunnel-status-up"
Time                Severity Subtype Object EventID ID Description
===============================================================================
2019/04/05 08:58:23 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/04/05 08:04:14 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/04/05 08:00:52 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/04/05 07:47:50 info     vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/04/03 08:25:18 info     vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/29 14:53:59 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/29 14:42:24 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/28 16:58:47 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/28 16:21:34 info     vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/28 16:03:47 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/03/08 19:39:51 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up


Finding site-to-site IPSec tunnel uptime or downtime

The output of the logs generated by the Tunnel Monitoring feature can be leveraged using a variation of the show log system command to combine the output:

> show log system subtype equal vpn | match "Tunnel <Tunnel_Name> is"

 

This allows for easy visualization of the IPSec tunnel's uptime or downtime.

For example:

admin@PA-3250> show log system subtype equal vpn | match "Tunnel IPSEC-Tunnel-Primary"
2019/02/26 17:23:14 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/02/26 17:37:17 info     vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/02/26 18:02:42 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/02/26 18:11:12 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/02/26 18:37:41 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is down
2019/02/26 18:41:06 critical vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up
2019/02/26 18:42:26 info     vpn     IPSEC- tunnel- 0  Tunnel IPSEC-Tunnel-Primary is up

 

owner: ialeksov



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language