PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel
Resolution
Issue
In ideal setup we create IPSEC tunnel and use PBF rule to forward the traffic to tunnel if IPSEC vpn failover is required.
Note: To configure Dual ISP and automatic VPN failover follow the below document:
How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover
We also configure the monitoring IP (IP which is across the tunnel) to perform the tunnel monitoring.
If we have overlapping subnet, we will configure source NAT in order to avoid routing issue on the other end of tunnel.
With this setup PBF rule might not work and you could see the PBF rule gets disabled
Cause
When enabling PBF monitoring, firewall will send keep alive messages with egress interface as source and send the packets out.
If we manually ping the monitoring IP sourcing from egress interface IP, this traffic will go through route lookup and NAT lookup. Subsequently this traffic will get source NAT-ed and we will get ping replies.
However the keep alive messages will not go through route lookup and for the same reason it will not be NAT-ed. This might cause routing issue on the other end and we might not get keep alive replies which in turn cause our PBF rule to disable.
Rule: PBF VPN1(6)
Rule State: Disabled
Action: Forward
Symmetric Return: No
Egress IF/VSYS: tunnel.1
NextHop: 0.0.0.0
Monitor Slot: 1
Monitor IP: 170.66.50.11
NextHop Status: DOWN
Monitor: Action:Fail-Over, Interval:3, Threshold:5
Stats: KA sent:2971, KA got:0, Packet Matched:28675
Workaround
Configure a public IP on the tunnel interface and on the other end of tunnel create a static route for this public IP pointing to the tunnel.
owner: skumar1