HA Path Monitoring Across IPSEC tunnel failing

HA Path Monitoring Across IPSEC tunnel failing

10172
Created On 05/21/19 21:45 PM - Last Modified 04/15/24 18:10 PM


Symptom


  • In High Availability Active-Passive configuration, path-monitoring over an IPsec tunnel fails.
  • Passive Firewall moves into "non-functional" loop
  • Ping across  tunnel  interfaces work fine.
  • No drops, warning, or errors in flow basic or counters.
  • System logs shows the loop 
> 2019-01-25 01:35:49 HA State change reason: Path down
> 2019-01-25 01:44:09 HA State change reason: Non-functional loop detected
> 2019-01-25 02:02:10 HA state transit to Non-Functional
> 2019-01-25 02:03:10 HA state transit to Passive
> 2019-01-25 02:03:15 HA state transit to Active


Environment


  • Any PAN-OS.
  • HA (High Availability) configured.
  • IPSec tunnel configured.
  • Any Palo Alto Networks Firewall.


Resolution


HA path monitoring over an IPSec tunnel will not work since the monitoring feature is not designed to consider tunnel interfaces. This is not a supported feature.



Additional Information


"Tunnel monitoring" feature can be used for tunnel failover, but this cannot be used for HA failover. When using this feature, the tunnel can fail over to another tunnel due to its "Dead Peer Detection" and "tunnel status" capability on the firewall. Refer to the PAN-OS Administration Guide, Set Up Tunnel Monitoring for more information. 

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PM0L&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language