![]() ![]() Set security ike gateway GW-REMOTE-SITE external-interface ge-0/0/15.0 Set security ike gateway GW-REMOTE-SITE address 1.1.1.2 Set security ike gateway GW-REMOTE-SITE ike-policy IKE-POLICY-REMOTE-SITE Set security ike policy IKE-POLICY-REMOTE-SITE pre-shared-key ascii-text testing123 Set security ike policy IKE-POLICY-REMOTE-SITE proposal-set standard Set security ike policy IKE-POLICY-REMOTE-SITE mode main Set routing-options static route 10.0.99.0/24 qualified-next-hop 10.0.0.3 preference 6 Set routing-options static route 10.0.99.0/24 next-hop st0.1 Set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1Ĭonfigure a preferred route to the remote site via 10.0.0.2, and then a backup route via 10.0.0.3: Set interfaces st0 unit 1 family inet address 100.100.100.1/30 Set interfaces st0 unit 1 description "*** CONNECTION TO REMOTE SITE ***" Set interfaces ge-0/0/15 unit 0 family inet address 1.1.1.1/30Ĭonfigure the interface that will be used for the VPN: Set interfaces ge-0/0/15 unit 0 description "*** MPLS CONNECTION TO REMOTE SITE ***" Set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members COREĬonfigure the interface that will act as the WAN interface for our MPLS connection: Set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members CORE Set interfaces vlan unit 0 family inet address 10.0.0.2/24Ĭonfigure the interfaces that will connect to the core switch: Set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members CORE Set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CORE Set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CORE Set interfaces vlan unit 0 family inet address 10.0.0.5/24 ![]() Set interfaces vlan unit 0 description "*** CORE ***" Set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24 Set interfaces ge-0/0/0 unit 0 description "*** CORE ***" Notifications are generated if an email alert profile is configured for critical logs.Configure the interface that will connect to the core switch: Note: Whenever the tunnel goes down, the Palo Alto Networks firewall generates an event under system logs ( s everity is set to critical). Even if the tunnel is down and the monitor status is down, the "monitor packets sent" still sends pings at regular intervals. If the monitor is "on" and monitor status is "down" for any reason, you can still view that "monitor packets sent" keeps incrementing but "monitor packets recv" is constant. > show running tunnel flow tunnel-id 1 | match monitor In order to see real-time run-time states for a particular tunnel, run the following command: This will increment only if the requests were made to tunnel interface IP. Monitor packets reply - Number of replies sent in response to "monitor packets seen". Monitor packets seen - Number of monitor packets received from remote side querying for us. Monitor packets recv - Number of replies received to the pings sent. ![]() Monitor packets sent - Number of pings sent ![]() To verify the count of these pings use the show vpn flow tunnel-id command. The above output shows that the monitor status is "up". Id name state monitor local-ip peer-ip tunnel-i/fġ tunnel-to-remote active up 10.66.24.94 10.66.24.95 tunnel.2 To check if the tunnel monitoring is up or down, use the following command: Note: The monitored IP address is configured at: Network > IPSec Tunnels > General Tab > Destination IP. The interval for the pings is specified in its Monitor Profile (Network > Network Profiles > Monitor > Interval). IPSec Tunnel Monitoring is a mechanism that sends constant pings to the monitored IP address sourced from the IP of the tunnel interface. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |