Configure bidirectional tunnel health checks for egresss traffic

If you are using egress traffic through Magic Transit, you can set up a Cloudflare public IP address as the target for your health checks instead of using Direct Server Return (DSR). In this type of setup, the packets necessary for Cloudflare to check tunnel health are sent and received though your GRE or IPsec tunnel. This avoids DSR replies through the Internet which might fail.

Bidirectional tunnel health checks will work for both reply-style (default) and request-style health checks. For request-style health checks, you need to assign the target IP to a device in your network that can respond to the health check requests.

To enable bidirectional tunnel health checks, set the health check’s target to an IP address within the prefix 172.64.240.252/30. You may also need to apply a policy-based route on your device to route ICMP echo reply packets sourced from this address through the tunnel.

​​ Change health check target

curl --request PUT \
  --url https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: <YOUR_EMAIL>' \
  --data '{
  "health_check": {
    "target": "172.64.240.253"
  }

​​ Update health check frequency

By default, Cloudflare servers send health checks to each GRE, CNI, or IPsec tunnel endpoint you configure to receive traffic from Magic Transit and Magic WAN. You can configure this frequency via the API Open API docs link to suit your use case. For example, if you are connecting a lower-traffic site for which you do not need immediate failover and would rather receive a lower volume of health check traffic, you should set the frequency to low. On the other hand, if you are connecting a site that is extremely sensitive to any issues, and you want a more proactive failover at the earliest sign of a potential problem, you should set this to high.

Available options are low, mid, and high.

curl --request PUT \
https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels/{tunnel_id} \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <YOUR_EMAIL> ' \
--data '{
  "health_check": {"rate":"low"}
  }'

​​ Check for tunnel health in the dashboard

The Cloudflare dashboard monitors the health of all Anycast tunnels on your account that route traffic from Cloudflare to your origin network.

The dashboard shows the global view of tunnel health as measured from all Cloudflare locations. If the tunnels are healthy on your side, you will see the majority of servers reporting an up status. It is normal for a subset of these locations to show tunnel status as degraded or unhealthy, since the Internet is not homogeneous and intermediary path issues between Cloudflare and your network can cause interruptions for specific paths.

Not all data centers will be relevant to you at all times. You can refer to the Average ingress traffic (last hour) column to understand if a given data center is receiving traffic for your network, and if its health status is relevant to you.

To check for Anycast tunnel health:

1. Go to the Cloudflare dashboard Open external link and select your account.
2. Go to Magic Transit > Tunnel health.
3. In Cloudflare colos, you can choose one or more Cloudflare data centers to filter out the traffic that shows up in your Anycast tunnels. For example, if you chose the Lisbon data center, your Anycast tunnels would only show connections to that data center.
4. Below, you have a list of all your Anycast tunnels, as well as their current health status. Find the tunnel you wish to inspect and select the arrow (>) before it to open its details.
5. The details pane shows the connection status between different Cloudflare servers and your tunnel. Select Traceroute for details in one of the Cloudflare servers shown to check for issues between Cloudflare and your origin network.