Secure Fabric Link Issues

A secure fabric link is between a branch site and a data center or between two branch sites. Palo Alto Networks enables virtual private network (VPN) overlays on all public and private circuits between a branch site and a data center. VPN overlays between Palo Alto Networks branch sites are disabled by default. You can selectively enable or disable these VPNs on the Prisma SD-WAN web interface.
This category of events deals with virtual private network (VPN) link connectivity issues. For example:
  • Major alarm is raised when all the VPN links from an active branch site for a given secure fabric link is down (Alarm—major).
  • Minor alarm is raised if there are more than one VPN links from the active branch site for a given secure fabric link and at least one of the many links is up and at least one is down. (Alarm—minor).
  • The following VPN link related alarms are aggregated as secure fabric link alarms (Alarm—major when secure fabric link is down and minor when secure fabric link is degraded):
    • NETWORK_VPNBFD_DOWN
    • NETWORK_VPNLINK_DOWN
    • NETWORK_VPNPEER_ UNAVAILABLE
    • NETWORK_VPNPEER_ UNREACHABLE
    • NETWORK_VPNSS_ UNAVAILABLE
    • NETWORK_VPNSS_MISMATCH
The following alarms indicate the underlay network connectivity for a given circuit is down:
  • DEVICEHW_INTERFACE_DOWN
  • NETWORK_DIRECTINTERNET_DOWN
  • NETWORK_DIRECTPRIVATE_DOWN
Alarms raised for the corresponding secure fabric links that use the underlay connectivity are suppressed.
When an administrator configures
Admin Down
for an interface, this condition suppresses all the corresponding raised secure fabric link alarms and this is displayed in the
Reason
field of the alarm.

Recommended For You