Tunnel Interface Status Showing Down (Red) When Tunnel is Up.
63634
Created On 04/29/19 14:11 PM - Last Modified 04/30/19 18:02 PM
Symptom
IPSec tunnel is configured and is showing Up, but the tunnel interface status shows it as being Down (Red). Routes through that tunnel are also not showing in the routing table.
Environment
PAN-OS
Firewall configured with an IPSec Tunnel
Cause
This could happen when the tunnel monitor is enabled (with Monitor profile action set to fail over) and the remote tunnel monitoring IP address is unreachable. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update so it can allow traffic to route across secondary routes.
The status can be checked by running the commands below:
show vpn flow
show vpn flow tunnel-id <id from previous output> | match monitor
Resolution
IPSec tunnel monitoring is a mechanism that sends constant pings (through the tunnel) to the monitored IP address sourced from the IP of the tunnel interface. Verify if the Monitored IP is reachable when initiated from the tunnel interface. This can be checked by initiating a ping from the CLI.
> ping source <tunnel interface ip> host <monitored-ip>
Ensure that proxy ID is configured correctly.
Additional Information
For additional information, please refer to these references:
How to Verify if IPSec Tunnel Monitoring is Working
Dead Peer Detection and Tunnel Monitoring
Tunnel Monitoring for VPN Between Palo Alto Networks Firewalls and Cisco ASA
Which Logs are Generated When a Monitor Detects Tunnel is Down/Up?
CLI Commands to Status, Clear, Restore, and Monitor an IPSec VPN Tunnel