AWS IPSec tunnel active/active HA with BGP

jdemares — Mon, 21 Nov 2022 22:05:59 GMT

Looking for some help here. I have an ongoing case with support concerning AWS tunnel issues. My production FWs are active/active but not in sync. Just always been that way, it's the way I inherited it. I have 4 tunnels to AWS (2 on each FW) BGP all works fine but if I reboot one FW when it comes back it blows up all the tunnels. So support says I need to have the FWs in sync and then build them with a floating IP on each side and that will fix all my issues. So in my lab I have the same setup, got the FWs in sync but the documentation to build this is pretty much nonexistent. Support gave me a doc from 2011 which has about a page on the topic and doesn't mention dynamic routing at all.

So my first question is anyone doing this?

From there my questions are a bit more all over the place. First the document says a tunnel interface on each device needs to be defined with a unique IP. Do you add the /30 network AWS gives you for each side and then create a floating IP for the BGP peer in your VR? I have tried to build this a few different ways and can't get it to work. The best I have had was 2 of the 4 tunnels up and none of the BGP to come up. Meanwhile the tunnels I build the other way are all still up so with BGP peers working (just don't reboot).

With them in sync it is strange what gets synced and what doesn't and then what will break the sync and need to be forced or fixed to get them back in sync. Do you build all this from one side and just change the priority of the floating IP to the other device if you want some of the tunnels to live on the other FW? Do you replicated everything to the other FW if it doesn't get synched? Sorry like I said I am all over the place at the end of a frustrating day.

Thanks for any help.

Re: AWS IPSec tunnel active/active HA with BGP

vitol-pkf — Fri, 20 Jun 2025 11:02:33 GMT

hi jdemares

this is 3 years ago post but have you figured the way already?

I am using A/A configuration for our firewall as well.,

I guess the super mystery is that traditional single firewall+ concentrator, are everything you do in one box is okay for Active Active

as you mentioned you have 4 VPN tunnels - I assumed your company set up 2 "site-to-site VPN connections" on AWS, as 1 VPN connection in AWS, they actually created 2 VPN tunnels from difference AWS IP TO On-Prem single IP address End Point.

so assumed the situation like this you should setup

Tunnel 1 - using floating IP bias on Device 0

Tunnel 2 - using floating IP bias on Device 0

Tunnel 3 - using floating IP bias on Device 1

Tunnel 4 - using floating IP bias on Device 1

as this is tunnel, it will sync both side
Then Tunnel 1,2 will IKE up on Device 0

Then Tunnel 3,4 will IKE up on Device 1
For the routing perspective, assuming you are using BGP, and you need to know the fact that Palo wont Sync the VR setting on both router
You may need to setup 4 pair on EACH firewall, so what ever of time you will have 2 BGP peer up on single firewall.

I hope that is the right answer what you and other people looking for

topic AWS IPSec tunnel active/active HA with BGP in VM-Series in the Public Cloud

AWS IPSec tunnel active/active HA with BGP

Re: AWS IPSec tunnel active/active HA with BGP