Configure tunnel health checks
By default, to check for tunnel health Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply packets to your network. By default, the source IP address of these ICMP reply packets is set to the tunnel endpoint IP address of the router at your origin, and has a Cloudflare public IP address as their destination.
Cloudflare encapsulates the ICMP reply packet and sends the probe across the tunnel to the origin router. When the probe reaches the origin router, the router forwards the decapsulated ICMP reply to its specified destination IP. The probe is successful when Cloudflare receives the reply.
As mentioned above, when you do not configure the target IP address for the tunnel health check Cloudflare uses the tunnel endpoint IP address for the router at your origin as the source IP address for the ICMP reply. Routing these unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. To eliminate this uncertainty, we recommend that you configure your origin router to send these ICMP reply packets over the same tunnel they are received from, resulting in a symmetric routing pattern.
To accomplish this, we recommend that you:
- Configure the IP address for your tunnel health check target to be one from within the prefix range
172.64.240.252/30
. - Apply a policy-based route that matches packets with source IP address equal to the configured tunnel health check target (for example
172.64.240.253/32
), and route them over the tunnel back to Cloudflare.
Change health check target
- Refer to Add tunnels to learn how to create or edit your tunnel.
- Change the Health check target to Custom.
- Configure the IP address for your tunnel health check target to be one from within the prefix range
172.64.240.252/30
. - Save your changes.
You can configure the tunnel health check target IP address by updating your GRE tunnels or IPsec tunnels.
Example:
curl --request PUT \--url https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <YOUR_EMAIL>' \--data '{"health_check": {"target": "172.64.240.253"}
Update health check frequency
By default, Cloudflare servers send health checks to each GRE, CNI, or IPsec tunnel endpoint you configure to receive traffic from Magic Transit and Magic WAN. You can configure this frequency via the API to suit your use case. For example, if you are connecting a lower-traffic site for which you do not need immediate failover and would rather receive a lower volume of health check traffic, you should set the frequency to low
. On the other hand, if you are connecting a site that is extremely sensitive to any issues, and you want a more proactive failover at the earliest sign of a potential problem, you should set this to high
.
Available options are low
, mid
, and high
.
- Refer to Add tunnels to learn how to create or edit your tunnel.
- Change the Health check rate to your desired rate. For example, Low.
- Save your changes.
You can adjust the health check frequency by updating your GRE, IPsec, or CNI tunnels.
Below is an example of how to adjust tunnel health check frequency to low
. Note that this command applies to GRE, IPsec and CNI tunnels:
curl --request PUT \https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <YOUR_EMAIL> ' \--data '{"health_check": {"rate":"low"}}'
Check for tunnel health in the dashboard
The Cloudflare dashboard monitors the health of all Anycast tunnels on your account that route traffic from Cloudflare to your origin network.
The dashboard shows the global view of tunnel health as measured from all Cloudflare locations. If the tunnels are healthy on your side, you will see the majority of servers reporting an up status. It is normal for a subset of these locations to show tunnel status as degraded or unhealthy, since the Internet is not homogeneous and intermediary path issues between Cloudflare and your network can cause interruptions for specific paths.
Not all data centers will be relevant to you at all times. You can refer to the Average ingress traffic (last hour) column to understand if a given data center is receiving traffic for your network, and if its health status is relevant to you.
To check for Anycast tunnel health:
- Go to the Cloudflare dashboard and select your account.
- Go to Magic WAN > Tunnel health check.
- In Cloudflare colos, you can choose one or more Cloudflare data centers to filter out the traffic that shows up in your Anycast tunnels. For example, if you chose the Lisbon data center, your Anycast tunnels would only show connections to that data center.
- Below, you have a list of all your Anycast tunnels, as well as their current health status. Find the tunnel you wish to inspect and select the arrow (>) before it to open its details.
- The details pane shows the connection status between different Cloudflare servers and your tunnel. Select Traceroute for details in one of the Cloudflare servers shown to check for issues between Cloudflare and your origin network.