Configure bidirectional tunnel health checks for egresss traffic
If you are using egress traffic through Magic Transit, you can set up a Cloudflare public IP address as the target
for your health checks instead of using Direct Server Return (DSR). In this type of setup, the packets necessary for Cloudflare to check tunnel health are sent and received though your GRE or IPsec tunnel. This avoids DSR replies through the Internet which might fail.
Bidirectional tunnel health checks will work for both reply-style (default) and request-style health checks. For request-style health checks, you need to assign the target IP to a device in your network that can respond to the health check requests.
To enable bidirectional tunnel health checks, set the health check’s target
to an IP address within the prefix 172.64.240.252/30
. You may also need to apply a policy-based route on your device to route ICMP echo reply packets sourced from this address through the tunnel.
Change health check target
- Refer to Add tunnels to learn how to create or edit your tunnel.
- Change the Health check target to Custom.
- Configure the IP address for your tunnel health check target to be one from within the prefix range
172.64.240.252/30
. - Save your changes.
You can configure the tunnel health check target IP address by updating your GRE tunnels or IPsec tunnels.
Example:
curl --request PUT \--url https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <YOUR_EMAIL>' \--data '{"health_check": {"target": "172.64.240.253"}
Update health check frequency
By default, Cloudflare servers send health checks to each GRE, CNI, or IPsec tunnel endpoint you configure to receive traffic from Magic Transit and Magic WAN. You can configure this frequency
via the API to suit your use case. For example, if you are connecting a lower-traffic site for which you do not need immediate failover and would rather receive a lower volume of health check traffic, you should set the frequency to low
. On the other hand, if you are connecting a site that is extremely sensitive to any issues, and you want a more proactive failover at the earliest sign of a potential problem, you should set this to high
.
Available options are low
, mid
, and high
.
- Refer to Add tunnels to learn how to create or edit your tunnel.
- Change the Health check rate to your desired rate. For example, Low.
- Save your changes.
You can adjust the health check frequency by updating your GRE, IPsec, or CNI tunnels.
Below is an example of how to adjust tunnel health check frequency to low
. Note that this command applies to GRE, IPsec and CNI tunnels:
curl --request PUT \https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <YOUR_EMAIL> ' \--data '{"health_check": {"rate":"low"}}'
Check for tunnel health in the dashboard
The Cloudflare dashboard monitors the health of all Anycast tunnels on your account that route traffic from Cloudflare to your origin network.
The dashboard shows the global view of tunnel health as measured from all Cloudflare locations. If the tunnels are healthy on your side, you will see the majority of servers reporting an up status. It is normal for a subset of these locations to show tunnel status as degraded or unhealthy, since the Internet is not homogeneous and intermediary path issues between Cloudflare and your network can cause interruptions for specific paths.
Not all data centers will be relevant to you at all times. You can refer to the Average ingress traffic (last hour) column to understand if a given data center is receiving traffic for your network, and if its health status is relevant to you.
To check for Anycast tunnel health:
- Go to the Cloudflare dashboard and select your account.
- Go to Magic Transit > Tunnel health.
- In Cloudflare colos, you can choose one or more Cloudflare data centers to filter out the traffic that shows up in your Anycast tunnels. For example, if you chose the Lisbon data center, your Anycast tunnels would only show connections to that data center.
- Below, you have a list of all your Anycast tunnels, as well as their current health status. Find the tunnel you wish to inspect and select the arrow (>) before it to open its details.
- The details pane shows the connection status between different Cloudflare servers and your tunnel. Select Traceroute for details in one of the Cloudflare servers shown to check for issues between Cloudflare and your origin network.