topic Re: Policy-Based IPsec VPN Failover in General Topics

Policy-Based IPsec VPN Failover

Flang3r — Tue, 26 Jul 2022 09:17:15 GMT

Hello everyone,

I have a case, where we have configured two site-to-site VPN connections to our partner's primary and backup datacenters. Both tunnels are policy-based IPsec VPNs with Proxy-IDs configured and both use the same local/remote inner IP addresses. This is a single ISP/single virtual router environment.

For example this is a sample config of two Proxy-IDs in one tunnel:

172.16.2.2 (real private IP) NATed to 172.29.2.2 used as local and 200.0.0.2 remote.
172.16.2.3 (real private IP) NATed to 172.29.2.3 used as local and 200.0.0.3 remote.

Now exact same proxy ID configuration is present in second tunnel as well. My question is, how do we make tunnel1 preferred egress point for outgoing packet flow and how do we implement failover to tunnel2, in case tunnel1:proxyid sub-tunnels go down?

I can't use any routing solutions or tunnel monitor as it's a policy-based VPN. There are no routes regarding those remote networks and also tunnels have no IP addresses configured for themselves.

ADD: Maybe there is a mechanism in PAN-OS similar to reverse-route in IOS, that can inject routes based on proxy IDs? That could solve the problem with variable AD or metric per route injection.

Re: Policy-Based IPsec VPN Failover

OtakarKlier — Wed, 27 Jul 2022 17:57:52 GMT

Hello,

I would use metrics on the routes. Make the less preferred route metric 10000. This way the traffic will follow the preferred tunnel unless its down then take the less preferred tunnel.

Regards,

Re: Policy-Based IPsec VPN Failover

Flang3r — Fri, 29 Jul 2022 07:43:46 GMT

Thank you for the reply. Currently I have no routes associated with these connections. That's why I was wondering if there is anything like reverse-route from Cisco world, to inject static routes from P2 selectors (ACLs in that case) that can be manipulated with metrics etc. If not, what is the correct way to apply a static route over policy-based tunnel in PAN-OS? As tunnel itself has no IP address, I assume egress interface should be used as a next hop. Each configured Proxy ID is represented as a sub-tunnel with naming of IPsec_Tunnel_Name:ProxyID_Name, that is not visible in PAN-OS web management. Can static routes be pointed to just an "outer" IPsec tunnel name?

Re: Policy-Based IPsec VPN Failover

YEmreSeven — Fri, 29 Jul 2022 09:45:37 GMT

You must redirect IPSec traffic throught to tunnel with staticly or PBF metod. Static routing with different metrics should be work.

But if you want to use PBF with tunnel monitor profile which monitoring remote Phase-2 site IP, you should use different zone between IPSec tunnels.

Check this kb for dual redundant IPSec,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

Re: Policy-Based IPsec VPN Failover

OtakarKlier — Fri, 29 Jul 2022 18:32:07 GMT

Hello,

You will need routes to send traffic down the tunnel.

Regards,

Re: Policy-Based IPsec VPN Failover

Flang3r — Tue, 02 Aug 2022 10:14:28 GMT

Thank you for your input.

I've added static routes and traffic flows correctly. Looks like once static route points to tunnel interface associated with policy based IPsec tunnel, then traffic correctly flows through appropriate proxy ID sub-tunnels based on destination prefix. ICMP is successful and packet encaps/decaps increase accordingly.

However my problem with failover still persists. If primary IPsec tunnel goes down, static routes are not withdrawn from routing table and traffic effectively gets blackholed. Since "outer" associated tunnel has no IP address, I'm unable to configure tunnel monitoring or path monitoring for static routes. There is no source IP address available to source ICMP from.

Re: Policy-Based IPsec VPN Failover

UmarKhan — Wed, 18 Oct 2023 17:50:42 GMT

I am also facing this exact issue. were you able to resolve it?

Re: Policy-Based IPsec VPN Failover

UmarKhan — Wed, 18 Oct 2023 17:51:00 GMT

I am also facing this exact issue. were you able to resolve it?

Re: Policy-Based IPsec VPN Failover

OtakarKlier — Sun, 22 Oct 2023 16:57:26 GMT

Hello,

Have you tried to use policy based forwarding or weighted routes?

Regards,

Re: Policy-Based IPsec VPN Failover

TonyDeHart — Tue, 24 Oct 2023 20:13:58 GMT

We just setup the same sort of thing on two IPSEC tunnels into Azure and used TUNNEL MONITOR after assigning IP addresses to the tunnels so we could evaluate their state. Is there any reason you can't put IP addresses on the tunnel? (I should add when we had one IPSEC tunnel we did NOT the IP addresses assigned or tunnel monitor in use so this was needed.)

Additonal routes for the tunnels were also necessary and as others mentioned with the metric higher on one than another tunnel.

Re: Policy-Based IPsec VPN Failover

UmarKhan — Tue, 24 Oct 2023 20:16:35 GMT

I do have tunnel interface ip assigned. When I do 2 static routes, A with higher metric and B with lower, when A fails, it doesn't automatically go to B and still tries to send traffic via A

Re: Policy-Based IPsec VPN Failover

TonyDeHart — Tue, 24 Oct 2023 20:20:36 GMT

Do you have tunnel monitoring on? I think that might be the behavior without it where it may not know NOT to send the tunnel traffic that direction on the downed link.

Re: Policy-Based IPsec VPN Failover

UmarKhan — Tue, 24 Oct 2023 20:21:40 GMT

I did have tunnel monitoring, but when I connect it to the tunnel, I see tunnel interface status go down

Re: Policy-Based IPsec VPN Failover

OtakarKlier — Tue, 24 Oct 2023 20:24:59 GMT

Hello,

How are your routes setup, static? If yes, do you have 'Path Monitoring' enabled and setup? This is what would remove the route from the routing table, not the tunnel monitor, etc.

Failure Condition
Select the condition under which the firewall considers the monitored path down and thus the static route down:

Any—If any one of the monitored destinations for the static route is unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.

All—If all of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.
Select All to avoid the possibility of a single monitored destination signaling a static route failure when that monitored destination is simply offline for maintenance, for example.

Regards,

Re: Policy-Based IPsec VPN Failover

UmarKhan — Tue, 24 Oct 2023 20:31:28 GMT

, static routes are setup. i'll check and configure that. How would I go about setting traffic to go thru both tunnels

Re: Policy-Based IPsec VPN Failover

TonyDeHart — Tue, 24 Oct 2023 20:35:58 GMT

I use path monitoring on our ISP connectivity but for the record I do NOT have path monitoring for our IPSEC tunnel connections just the tunnel monitors. In testing, it fails over w/o any trouble.