topic HA mode with vwire in General Topics

HA mode with vwire

Wayne_Fealy — Fri, 27 Oct 2023 14:56:48 GMT

Not sure it this is the right location for this question but here we go ...
I'm trying to replace 2 transparent ASA's in ACT/STDBY with 2 Palo's in the same setup vwire ACT/PAS. Current setup is the asa's are connected to 2 vpn servers in ACT/PAS config, the asa’s have a 3 interface BVI (2 inside interfaces one to each vpn server and 1 outside interface to upstream switch). The vpn servers built ipsec vpn tunnels THROUGH the asa’s to the other endpoint everything works fine. What I did but didn’t work fully was build 2 PAs in HA, for the 2 inside interfaces I put them into an AE grp and then put both the outside and AE interfaces into the same vwire instance this setup did not work as expected. Any assistance would be great .. tks

Re: HA mode with vwire

TomYoung — Sat, 28 Oct 2023 01:28:01 GMT

Hi @Wayne_Fealy ,

From reading your post, it sounds like you have 3 interfaces in transparent mode. A VWire is for mapping interfaces1-to-1.

You want to create 3 x L2 interfaces, and put them into the same VLAN. Put the interfaces in L2 zones, inside and outside (or you could do 3 zones to limit intrazone traffic between the 2 VPN servers). Then your security policy rules will follow naturally.

Thank will work.

Thanks,

Tom