Cloudflare Docs
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Configure bidirectional tunnel health checks for egresss traffic

If you are using egress traffic through Magic Transit, you can set up a Cloudflare public IP address as the target for your health checks instead of using Direct Server Return (DSR). In this type of setup, the packets necessary for Cloudflare to check tunnel health are sent and received though your GRE or IPsec tunnel. This avoids DSR replies through the Internet which might fail.

Bidirectional tunnel health checks will work for both reply-style (default) and request-style health checks. For request-style health checks, you need to assign the target IP to a device in your network that can respond to the health check requests.

To enable bidirectional tunnel health checks, set the health check’s target to an IP address within the prefix 172.64.240.252/30. You may also need to apply a policy-based route on your device to route ICMP echo reply packets sourced from this address through the tunnel.

​​ Update health check frequency

By default, Cloudflare servers send health checks to each GRE, CNI, or IPsec tunnel endpoint you configure to receive traffic from Magic Transit and Magic WAN. You can configure this frequency via the API to suit your use case. For example, if you are connecting a lower-traffic site for which you do not need immediate failover and would rather receive a lower volume of health check traffic, you should set the frequency to low. On the other hand, if you are connecting a site that is extremely sensitive to any issues, and you want a more proactive failover at the earliest sign of a potential problem, you should set this to high.

Available options are low, mid, and high.

Here is an example of how you would adjust health check frequency to low. Note that this command applies to GRE, IPsec and CNI tunnels:

curl --request PUT \
--url https://api.cloudflare.com/client/v4/accounts/<account_identifier>/magic/gre_tunnels/<tunnel_identifier> \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <YOUR_EMAIL> ' \
--data '{"health_check": {"rate":"low"}}'

Refer to the API documentation for more information on how to update a GRE, IPsec or CNI tunnel.