https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/342163#M918 <P>Hello</P><P>&nbsp;</P><P>Thanks for your response but sadly that was not the correct solution and i am still working on the case ....</P> Wed, 05 Aug 2020 08:44:11 GMT tinaye-hgi 2020-08-05T08:44:11Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/341001#M909 <P>Hello</P><P>&nbsp;</P><P>First time posting and looking for help on solution ............i have a PA fw in AWS and i am attempting to setup a VPN to AWS transit GW.</P><P>FW set up with ÖUTSIDE int using DHCP and and EIP attached ...</P><P>&nbsp;</P><P>AWS TGW (VPN) -------------------------------------------------AWS(single FW with DHCP)</P><P>52.x.x.x&nbsp; -------------------------------------------------EIP-3.x.x.x attached to 10.0.2.10 (-----outside int (FW) inside int&nbsp;</P><P>18.x.x.x</P><P>AWS does not initiate session, so firewall must initiate. It works fine if i config a static IP address on Firewall outside interface but if&nbsp;</P><P>i leave it as DHCP it seems to work on and off ......I have been advised that i must leave the PA interface address as DHCP based on&nbsp;</P><P>design guidelines. So i have messed around with IPSEC settings in the hope of getting tunnels to come up by setting the Local and&nbsp; Remote peer addresses but not luck .......</P><P>&nbsp;</P><P>Any ideas or advice please ..............................and is it true that i should not set fixed IP on interfaces of FW&nbsp;</P><P>&nbsp;</P><P>Thanks in advance for advice and help ..</P><P>&nbsp;</P> Tue, 28 Jul 2020 07:29:54 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/341001#M909 tinaye-hgi 2020-07-28T07:29:54Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/341092#M912 <P>he tunnel build process is documented here.</P><P><A href="https://www.paloaltonetworks.com/resources/reference-architectures/aws" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/aws</A></P><P>&nbsp;</P><P>In general, if it works intermittently, check your timers in your IKE and IPSec profiles.&nbsp; Also, ensure that only the VPN ethernet interface has the "Automatically create default route pointing to DG provided by server".&nbsp; If you have multiple interfaces, you may end up with 2 default routes in the VR that are competing with each other.&nbsp; If you have EIPs on multiple interfaces, then you give each its own virtual router with a 0.0.0.0/0 route pointing outbound.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0</A></P> Tue, 28 Jul 2020 17:39:59 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/341092#M912 jmeurer 2020-07-28T17:39:59Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/342163#M918 <P>Hello</P><P>&nbsp;</P><P>Thanks for your response but sadly that was not the correct solution and i am still working on the case ....</P> Wed, 05 Aug 2020 08:44:11 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/site-to-site-vpn-between-aws-transit-gw-and-pa-fw-in-aws/m-p/342163#M918 tinaye-hgi 2020-08-05T08:44:11Z