Path Monitor shows down when firewall is configured with the SD-WAN DIA

• When the firewall is configured with the SD-WAN DIA (Direct Internet Access) link and path-monitor stats shows down:

admin@Branch-1> show sdwan path-monitor stats 

***slot1 dp0:***
 idx    if-id  vif         state/reason     State-chg-cnt latency jitter loss(%) Type    Interface/Tunnel                 Profile                         
---------------------------------------------------------------------------------------------------------------------
 0      16     sdwan.901   DOWN/ping      12        0       0      0       Native  ethernet1/1               N/A                             
 1      17     sdwan.901   UP/ping        3         0       0      0       Native  ethernet1/2               N/A

• The physical interface has the below ip:

name                id    vsys zone             forwarding               tag    address                                         
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1    Trust            vr:default               0      x.x.x.1/24        
ethernet1/2         17    1    Trust            vr:default               0      y.y.y.1/24

• Ping from the physical interface to the default/next hop, its reachable:

admin@Branch-1> ping source x.x.x.1 host x.x.x.2
...
2 packets transmitted, 2 received, 0% packet loss, time 1012ms
rtt min/avg/max/mdev = 0.636/1.143/1.650/0.507 ms

• PAN-OS 10.0.x
• Panorama
• SDWAN deployment
• SDWAN plugin

• Path-monitor down status is because the default/next hop is not replying the ICMP Ping probe messages.
• Path-monitor ICMP Ping will have Type:8 Code:1

Frame 3: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
Ethernet II, Src: PaloAlto_d8:2b:10 (c4:24:56:d8:2b:10), Dst: PaloAlto_d7:f9:12 (c4:24:56:d7:f9:12)
Internet Protocol Version 4, Src: x.x.x.1, Dst: x.x.x.2
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 1  
    Checksum: 0xf16d [correct]
    [Checksum Status: Good]
    Identifier (BE): 52763 (0xce1b)
    Identifier (LE): 7118 (0x1bce)
    Sequence Number (BE): 13546 (0x34ea)
    Sequence Number (LE): 59956 (0xea34)
    [No response seen]
    Data (80 bytes)

• Normal ping packet, will have Type:8 Code:0

Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: PaloAlto_d8:2b:10 (c4:24:56:d8:2b:10), Dst: 00:70:76:69:66:00 (00:70:76:69:66:00)
Internet Protocol Version 4, Src: x.x.x.1, Dst: x.x.x.2
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0 
    Checksum: 0x44d8 [correct]
    [Checksum Status: Good]
    Identifier (BE): 16371 (0x3ff3)
    Identifier (LE): 62271 (0xf33f)
    Sequence Number (BE): 6 (0x0006)
    Sequence Number (LE): 1536 (0x0600)
    [No response seen]
    Data (56 bytes)

1. The issue is addressed under defect id PAN-183579
2. Upgrade to the fixed codes of 10.0.11, 10.1.6 or 10.2.2 will resolve the issue.