Configure tunnel health checks
By default, to check for tunnel health Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply packets to your network. By default, the source IP address of these ICMP reply packets is set to the tunnel endpoint IP address of the router at your origin, and has a Cloudflare public IP address as their destination.
Cloudflare encapsulates the ICMP reply packet and sends the probe across the tunnel to the origin router. When the probe reaches the origin router, the router forwards the decapsulated ICMP reply to its specified destination IP. The probe is successful when Cloudflare receives the reply.
As mentioned above, when you do not configure the target IP address for the tunnel health check Cloudflare uses the tunnel endpoint IP address for the router at your origin as the source IP address for the ICMP reply. Routing these unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. To eliminate this uncertainty, we recommend that you configure your origin router to send these ICMP reply packets over the same tunnel they are received from, resulting in a symmetric routing pattern.
To accomplish this, we recommend that you:
- Configure the IP address for your tunnel health check target to be one from within the prefix range
172.64.240.252/30
. - Apply a policy-based route that matches packets with source IP address equal to the configured tunnel health check target (for example
172.64.240.253/32
), and route them over the tunnel back to Cloudflare.
You can configure the tunnel health check target IP address by updating your GRE tunnels or IPsec tunnels.
Update health check frequency
By default, Cloudflare servers send health checks to each GRE, CNI, or IPsec tunnel endpoint you configure to receive traffic from Magic Transit and Magic WAN. You can configure this frequency via the API to suit your use case. For example, if you are connecting a lower-traffic site for which you do not need immediate failover and would rather receive a lower volume of health check traffic, you should set the frequency to low
. On the other hand, if you are connecting a site that is extremely sensitive to any issues, and you want a more proactive failover at the earliest sign of a potential problem, you should set this to high
.
Available options are low
, mid
, and high
.
Here is an example of how you would adjust health check frequency to low
. Note that this command applies to GRE, IPsec and CNI tunnels:
curl --request PUT \ --url https://api.cloudflare.com/client/v4/accounts/<account_identifier>/magic/gre_tunnels/<tunnel_identifier> \ --header 'Content-Type: application/json' \ --header 'X-Auth-Email: <YOUR_EMAIL> ' \ --data ‘'{"health_check": {"rate":"low"}}'’
Refer to the API documentation for more information on how to update a GRE, IPsec or CNI tunnel.