Palo Alto Networks Knowledgebase: Differences Between IPSEC and LSVPN Tunnel Monitoring
Differences Between IPSEC and LSVPN Tunnel Monitoring
Created On 09/27/18 11:00 AM - Last Updated 02/07/19 23:36 PM
This document explains the differences between the normal IPSEC tunnel monitoring and LSVPN tunnel monitoring.
IPSEC Tunnel Monitoring:
The tunnel monitors for the specific IP address mentioned in the 'destination field' as below, there are ICMP echo requests that are sent at specific intervals to check if the destination specified is alive. In case there is no response for the specified number of requests, the destination is considered not reachable and fail over occurs:
LSVPN Tunnel Monitoring:
In contrast to IPSEC tunnel monitoring, the IP address given in the destination field is monitored by the satellite devices. If no IP is configured, the satellites will monitor the gateway's tunnel interface address:
The setting needs to be configured only on the gateways. This will automatically be pushed to the satellites. Once the primary gateway fails, traffic from the satellites would be diverted to secondary gateway.