Prisma Access Tunnel Monitoring Behavior and Verification

• Traffic no longer traversing through Service Connection/Remote Network via IPSec tunnel.
• IPSec tunnel may show as up, but the tunnel monitoring will show "down" status.

• Prisma Access
• Service Connection
• Remote Networks

• Configured Tunnel monitoring is down.
• When tunnel monitoring is down, the associated IPSEC tunnel is considered as "down".
• This causes the remote networks and service connections to be unreachable.
• Tunnel Monitoring is ping/icmp traffic that is configured when onboarding Prisma Access, These IP's are assigned to the Loopback interfaces.

1. Ensure tunnel monitored IP address is reachable using ICMP/ping.
2. This causes the tunnel monitor to come up.
3. Another option is to change Tunnel Monitor Destination IP. This can be used when the devices configured for tunnel monitoring is down or have issues.
4. Disable Tunnel Monitoring - This can be done during critical network down scenarios until full resolution is in place.

1. Service Connection IP: 2.2.2.2 attempts to ping Tunnel Monitor Destination IP: 1.1.1.1
2. Server IP 1.1.1.1 fails to respond to ping from 2.2.2.2​​​
   • Device could be configured to not respond to ping traffic
   • Firewall/Network Device upstream denies the ping
   • Incorrect routing could be causing the ping traffic to traverse elsewhere from the network
   • Network under stress causing packets to be dropped 
3. Since the Service Connection is not able to get a response from Server IP 1.1.1.1, the tunnel is then disabled, and thus causing traffic through this tunnel to no longer be traversable. In order to verify if Tunnel Monitoring is down, you can navigate to "Panorama>Cloud Services>Status>Monitor>Service Connection" and hover your mouse over the Tunnel Status Circle and this will bring up an info tip

tunnel {
  interval 2;
  threshold 5;
  action fail-over;
}