Path monitoring in Vwire

Path monitoring in Vwire

29405
Created On 09/26/18 13:50 PM - Last Modified 06/24/21 23:25 PM


Symptom


  • Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP ping messages to make sure that they are responsive.
  • This feature can be used in Virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient.
  • The article provides configuration information of the same.

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Path Monitoring in VWire setup.

Resolution


Which source IP address to use

For virtual wire and VLAN interfaces, enter the source IP address as one of the unused IP addresses of the destination network to be used in the probe packets sent to the next-hop router (Destination IP address).
The local router must be able to route the address to the firewall.
The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the routing table as the egress interface for the specified destination IP address.

 

This example explains how path monitoring works using a specific Vwire configuration.

Setup:

LAN Network -- Router A -- PANW Firewall (Vwire) -- Router B

IP Router A: 1.1.1.254
IP Router B: 1.1.1.1

 

GUI: Device > High Availability > Link and Path Monitoring - HA Path Group Virtual Wire:

confg1.png

This is the only place where you need to configure the source IP address.

 

Go to GUI: Device > High Availability > Link and Path Monitoring:

config2.png

 

When you commit the configuration, you'll notice the following traffic on your network:

ARP Broadcast sourced from the firewall to request the mac address for 1.1.1.1 :

 broadcast arp.png

 

Here is the ARP reply from destination ip 1.1.1.1:

 arp reply.png

Now the Path Monitoring can start:

path monitoring.png

Go to the CLI and verify the path monitoring is working fine:

(active)> show high-availability path-monitoring
 
--------------------------------------------------------------------------------
total paths monitored :                         1
hold time to send probe packets :               1000 ms
  (after device becomes active)
--------------------------------------------------------------------------------
name/type                 destination     suc/total rtt min/max/avg (ms) probe cnt/interval(ms)
--------------------------------------------------------------------------------
replay/virtual-wire       1.1.1.1         10/10     0.10/0.11/0.11      10/200    
--------------------------------------------------------------------------------
 

Note: The ARP packet is sent from the Vwire interfaces, the ARP packet sent out will have a unique MAC not attached to any interface.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrwCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language