HA Path Monitoring Across IPSEC tunnel failing
11305
Created On 05/21/19 21:45 PM - Last Modified 04/15/24 18:10 PM
Symptom
- In High Availability Active-Passive configuration, path-monitoring over an IPsec tunnel fails.
- Passive Firewall moves into "non-functional" loop
- Ping across tunnel interfaces work fine.
- No drops, warning, or errors in flow basic or counters.
- System logs shows the loop
> 2019-01-25 01:35:49 HA State change reason: Path down > 2019-01-25 01:44:09 HA State change reason: Non-functional loop detected > 2019-01-25 02:02:10 HA state transit to Non-Functional > 2019-01-25 02:03:10 HA state transit to Passive > 2019-01-25 02:03:15 HA state transit to Active
Environment
- Any PAN-OS.
- HA (High Availability) configured.
- IPSec tunnel configured.
- Any Palo Alto Networks Firewall.
Resolution
HA path monitoring over an IPSec tunnel will not work since the monitoring feature is not designed to consider tunnel interfaces. This is not a supported feature.
Additional Information
"Tunnel monitoring" feature can be used for tunnel failover, but this cannot be used for HA failover. When using this feature, the tunnel can fail over to another tunnel due to its "Dead Peer Detection" and "tunnel status" capability on the firewall. Refer to the PAN-OS Administration Guide, Set Up Tunnel Monitoring for more information.