topic Re: Need help to achieve IPsec VPN failover between Paloalto to Meraki in General Topics

Need help to achieve IPsec VPN failover between Paloalto to Meraki

AhamadullahM — Wed, 24 May 2023 19:21:58 GMT

Hi All,

Need help to achieve IPsec VPN failover between Paloalto to Meraki

Re: Need help to achieve IPsec VPN failover between Paloalto to Meraki

akuzhuppilly — Thu, 25 May 2023 02:47:23 GMT

Hello,

Your question is not clear, can you explain what you are trying to achieve on the VPN failover part?

Re: Need help to achieve IPsec VPN failover between Paloalto to Meraki

AhamadullahM — Thu, 25 May 2023 09:21:19 GMT

@AKuzhuppilly

2 branches have Paloalto and Meraki

Branch A palo alto configured 2 Ipsec VPNs and same branch B Meraki configured 2 Ipsec vpn.

Both IPSec tunnels are up but traffic is not passing...either I can disable the one tunnel the traffic is passing and wise versa. My requirement is needed to achieve the Ipsec failover between the two tunnels the peer end is Meraki.

Kindly help and suggest how to solve the failover... I have already tried path monitor and tunnel monitor but no luck.

thank you

Re: Need help to achieve IPsec VPN failover between Paloalto to Meraki

akuzhuppilly — Thu, 25 May 2023 09:41:50 GMT

Hello,

Still not clear. Can I confirm if your connectivity is as below?

If so, the tunnel monitoring should be able to remove the route and point it to the secondary ISP (using IPSec 2) during a failure. What is the 'monitor profile' action? It should be set to 'failover'.

You may refer to below KB:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

Re: Need help to achieve IPsec VPN failover between Paloalto to Meraki

aleksandar.astardzhiev — Thu, 25 May 2023 13:50:48 GMT

Hi @AhamadullahM ,

To achieve IPsec failover you need both end of the tunnels to be able to detect issue and perform the failover, if only one side of the tunnel is performing the failover you will have asymmetric routing.

From Palo Alto point of view the setup is as follow:

- Palo Alto firewall is implementing route base VPN. Which means firewall relay on the routing table to decide which traffic to encrypt over each tunnel.

- To achieve IPsec failover you need to have two IPsec tunnel configured and two static routes for destination network pointing to each tunnel.

- By default PAN FW will not allow you to configure two static routes for same destination with exact same metric. Which means the second route will have higher metric - therefor in FIB only the first route will be installed and traffic will be sent over first tunnel.

- Tunnel monitor will detect when tunnel have issues and "disable" the logical tunnel interface associated with that tunnel. Because the interface is "down" all routes associated with it will be removed from FIB and firewall will start using the second route and start sending traffic over second tunnel.

- When tunnel monitor detect tunnel is up again, it will "enable" the tunnel interface and install the primary route (because it has the lowest metric) and start sending traffic over first tunnel.

So when you said "tried tunnel monitor, but no luck", you need to note that the cause could be in the Meraki.

Can you please provide more information how is Meraki configured to perform tunnel failover?

More details for "tried tunnel monitor, but no luck" - tunnel with the monitor went down even if it is actually up? Or traffic does not failover when first tunnel is down? What issue exactly do you experience?