So I'll try to keep this brief. A while back at work we ran into an instance where we had a backup IPSEC tunnel go down at one of our remote sites and we really didn't know about it. We actually have the design throughout all of or network remote sites. These IPSEC tunnels are Palo-to-Palo tunnels, so once configured, while at the interface level a Palo never shows a downstate. Also, we use Solarwinds which does not have a lot of Palo integration yet. So really these tunnels could go down at any time and we don't really know about it. I initially thought "hey I can configure a simple IP SLA to run an icmp-echo between the tunnel end-points". Well... turns out this is not terribly reliable. It works but I get a lot of noise. These IPSEC SLA tunnels run over the public internet, so many times (mostly in less developed regions of the world), my SLAs go down sometimes not even a minute apart and come back up. Which is causing me noise in alarming (I had to create a tracking event to monitor the icmp-echo response failure and log that as a tracked EEM event to generate a SNMP-TRAP so I could get some form of an alarm).
Anywho now I am trying to tune this. I have come to the conclusion of, I don't care if a failure occurs and recovers within 10 minutes. Like I mentioned most of these have been under 1-2 min fail / recover events. I have a lab where I am testing my new tuning results but I can't seem to find anything that really gives me much inside the IP SLA config to adjust these parameters the way I want it. Solarwinds is also not a great help here either as their SNMP Trap engine does not have a lot of tuning options.
I am thinking maybe I can instead create some non-routable GRE tunnels that I can use just as a means to monitor the connection path and tune those individually with long keepalives.
Currently Studying: IE Stuff...kinda...for now...
My ultimate career goal: To climb to the top of the computer network industry food chain.
"Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi