How to Verify if IPSec Tunnel Monitoring is Working
Symptom
Overview
IPSec Tunnel Monitoring is a mechanism that sends constant pings to the monitored IP address sourced from the IP of the tunnel interface. The interval for the pings is specified in its Monitor Profile (Network > Network Profiles > Monitor > Interval).
Note: The monitored IP address is configured at: Network > IPSec Tunnels > General Tab > Destination IP.
Environment
- PaloAlto Firewall
- PANOS- 9.1
- PANOS-10.1
- PANOS-10.2
- PANOS-11.0
Resolution
Details
To check if the tunnel monitoring is up or down, use the following command:
> show vpn flow
id name state monitor local-ip peer-ip tunnel-i/f
------------------------------------------------------------------------------------
1 tunnel-to-remote active up 10.66.24.94 10.66.24.95 tunnel.2
The above output shows that the monitor status is "up".
To verify the count of these pings use the show vpn flow tunnel-id <id> command.
For example:
> show vpn flow tunnel-id 1
tunnel tunnel-to-remote
id: 1
type: IPSec
gateway id: 1
local ip: 10.66.24.94
peer ip: 10.66.24.95
inner interface: tunnel.2
outer interface: ethernet1/3
state: active
session: 6443
tunnel mtu: 1436
lifetime remain: 2663 sec
latest rekey: 937 seconds ago
monitor: on
monitor status: up
monitor interval: 3 seconds
monitor threshold: 5 probe losses
monitor packets sent: 739180
monitor packets recv: 732283
monitor packets seen: 584
monitor packets reply: 584
en/decap context: 76
local spi: F18E58FF
remote spi: B90FCFB2
In the above output:
monitor packets sent - Number of pings sent
monitor packets recv - Number of replies received to the pings sent.
monitor packets seen - Number of monitor packets received from remote side querying for us.
monitor packets reply - Number of replies sent in response to "monitor packets seen". This will increment only if the requests were made to tunnel interface IP.
In order to see real-time run-time states for a particular tunnel, run the following command:
> show running tunnel flow tunnel-id 1 | match monitor
monitor: on
monitor status: up
monitor interval: 3 seconds
monitor threshold: 5 probe losses
monitor packets sent: 739180
monitor packets recv: 732283
monitor packets seen: 584
monitor packets reply: 584
If the monitor is "on" and monitor status is "down" for any reason, you can still view that "monitor packets sent" keeps incrementing but "monitor packets recv" is constant. Even if the tunnel is down and the monitor status is down, the "monitor packets sent" still sends pings at regular intervals.
Please note on this additional scenario:
When the monitor is "on" and monitor status is “up”, while the monitor packets recv are higher than monitor packets sent.Cause: The client and server are not managed by the customer.
In this case:
>Check for s2c and c2s flow in traffic logs. This may indicate further connectivity issues from either side.
>Collect packet capture between server IP and client IP.
Additional example:
show vpn flow name | match ‘tunnel name’ monitor: on
monitor status: up
monitor dest: 10.132.0.43
monitor interval: 10 seconds
monitor threshold: 6 probe losses
monitor bitmap: 110000
monitor packets sent: 274153
monitor packets recv: 488199 <—
monitor packets seen: 0
monitor packets reply:0
encap packets: 561260
decap packets: 764233
encap bytes: 207609040
decap bytes: 108517504
encap IPv4 packets: 561260
decap IPv4 packets: 764233
encap IPv4 bytes: 207609040
decap IPv4 bytes: 108517504
encap IPv6 packets: 0
decap IPv6 packets: 0
encap IPv6 bytes: 0
Note: Whenever the tunnel goes down, the Palo Alto Networks firewall generates an event under system logs (severity is set to critical). Notifications are generated if an email alert profile is configured for critical logs. Please review the following document for more information: How to Configure Email Alerts for System Logs?
Additional Information
See Also
Dead Peer Detection and Tunnel Monitoring
CLI Commands to Status, Clear, Restore, and Monitor an IPSec VPN Tunnel