Ipsec Tunnel Failover issue

Fr4nk4 — Wed, 20 May 2020 23:39:10 GMT

We have a PA-3020 firewall pair that has multiple IPsec tunnels to a VM series pair in AWS. We have 4 IPsec tunnels that we run to the firewalls. They are:

Tunnel A - On Prem to AWS FW1 over Direct Connect
Tunnel B - On Prem to AWS FW2 over Direct Connect
Tunnel C - On Prem to AWS FW1 over Public Internet
Tunnel D - On Prem to AWS FW1 over Public Internet

We also have BGP routing in place and peer with the AWS FW1 and FW2. If I test killing BGP on FW1 in AWS, our PA-3020 automatically routes traffic to Tunnel B, and within 15 seconds, we are sending traffic to/from FW2. That part works perfectly.

However, if I down Tunnel A from the AWS side, we stay down indefinitely. BGP knows to send traffic to Tunnel B, but communication over Tunnel B does not occur. Security policies on the on prem firewall and AWS FW1 and FW2 allow for BGP and IPSec communication for all the tunnels.

I have tried Static Route monitoring, where you create the same route for the AWS traffic, but create different Metrics for each route which would use different tunnels.

For example: 172.16.0.0/16

Route A 172.16.0.0/16 via Tunnel A Metric 10
Route B 172.16.0.0/16 via Tunnel B Metric 15
Route C 172.16.0.0/16 via Tunnel C Metric 20
Route D 172.16.0.0/16 via Tunnel D Metric 10

I have also enabled tunnel monitoring, and allowed pings to/from each firewall. I know that the static routes are no longer required since we use BGP, but what would be the preferred method in order to get the on prem firewall to automatically use Tunnel B if Tunnel A went down? Would a PBF profile be in order?

topic Re: Ipsec Tunnel Failover issue in General Topics

Ipsec Tunnel Failover issue

Re: Ipsec Tunnel Failover issue