PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel

PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel

44989
Created On 09/26/18 13:49 PM - Last Modified 08/08/24 01:42 AM


Symptom


  • Public Monitoring IP is configured for Policy-Based Forwarding (PBF)
  • PBF Rule fails and gets disabled due to monitoring failure.


Environment




Cause


  • With PBF monitoring, the keepalives are sent using egress interface as source.
  • If the routing (and/or NAT) is incorrect, the keepalives may not reach the destination or the replies packets may not reach the Firewall.
  • This will cause the PBF rule to be disabled as per the configuration.
  • Use "show pbf rule name <name>" to get the status. In this example the keepalives are not received.
Rule: PBF VPN1(6)
Rule State: Disabled
Action: Forward
Symmetric Return: No
Egress IF/VSYS: tunnel.1
NextHop: 0.0.0.0
Monitor Slot: 1
Monitor IP: 170.66.50.11
NextHop Status: DOWN
Monitor: Action:Fail-Over, Interval:3, Threshold:5
Stats: KA sent:2971, KA got:0, Packet Matched:28675


Resolution


  1. Ensure the configured public monitoring IP is reachable using the tunnel interface.
  2. Similarly ensure the reply packets from the monitored IP to the source are routed correctly.
Note: Remote peer public IP cannot be used as monitor IP. 


Additional Information


How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqvCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language