System logs report "Path monitoring failed for static route destination..." message

System logs report "Path monitoring failed for static route destination..." message

27989
Created On 04/10/23 10:42 AM - Last Modified 07/23/24 20:25 PM


Symptom


  • Path Monitoring for a Static Route is configured
  • System logs (show log system) report "Path monitoring failed for static route destination x.y.z.q/m with next hop x.y.z.a. Route removed."

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Path Monitoring

Cause


Destination ips are intermittently unreachable which is leading to path monitoring failure followed by tunnel getting down.
 

Resolution


 
  1. Use CLI command show routing path-monitor to verify the current static route status and monitored-IP state. 
    admin@PA-VM> show routing path-monitor
flags: A:active, S:static, E:ecmp
VIRTUAL ROUTER: default (id 1)
=================================  ==========
destination                 nexthop              metric weight flags      interface     pathmonitor   status
192.168.16.0/24          172.16.130.96             10              S        ethernet1/1   Enabled(Any)  Down
|--> monitored-IP                              interval/count  state
     8.8.8.8                                         3/5      Failed
  2. Verify the path monitor failure and find the timestamps from log file routed.log. 
    admin@PA-VM> grep pattern MON: mp-log routed.log
2023-05-01 10:26:01.491 +0800 MON: status update md(16: 172.16.130.165 => 172.16.130.96 => 8.8.8.8) Failed
2023-05-01 10:26:01.491 +0800 MON: status update monitor(vr default: 192.168.16.0 > 172.16.130.96) Down
  3. Use CLI command debug routing path-monitor to find out the details of the path monitor. The path monitor failure can be confirmed by monitoring and comparing Tx packets and Rx packets. 
    admin@PA-VM> debug routing path-monitor

sw.mprelay.s1.dp0.rtmon.debug

ID: 0
Source Address: 172.16.130.165
Source Address (Dynamic): ::
Destination Address: 8.8.8.8
Next Hop Address: 172.16.130.96
Next Hop VR: 0
Next Hop VR Address: ::
Interface ID: 16
Ping Count: 5
Ping Interval: 3
Tick Elapsed: 50
Status: 0

TX packets: 19
Rx packets: 0
Errors:
Generic: 0
Link: 0
Dynamic Source: 0
TX Resource 1: 0
TX Resource 2: 0
Route Lookup: 0
Interface: 0
Tunnel Egress: 0
L2: 1
RX Generic: 0
  4. In this example, the path monitoring packets are transmitted but the response (RX) packets are not seen. The intermediate devices need to be checked for packet loss.
  5. As a workaround use known reachable IPs that respond to ICMP packets for path monitor.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1HpCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language