topic Static Route Path Monitoring for automated VPN failover in General Topics

Static Route Path Monitoring for automated VPN failover

Bilbo007 — Wed, 16 Sep 2020 10:39:32 GMT

Hello,

I would like to know if static route path monitoring can monitoring outside of the interface bound to the static route?

For example, I want to monitor across a VPN tunnel and if the test fails, withdraw the static route so traffic fails over to the backup VPN tunnel. I don't have a IP addresses (within the tunnel) on the destination side of the VPN tunnel which is always up and reachable. To get around this, I was hoping to monitor from a different interface to the public IP address of the destination VPN tunnel endpoint e.g. Internet facing interface of my firewall to the internet facing interface of the remote firewall.

Is this scenerio possible or can static route path monitoring only monitor a destination which is reachable from the interface configured on the static route? Are there any other features that could get around this issue.

Thanks,

Re: Static Route Path Monitoring for automated VPN failover

SutareMayur — Wed, 16 Sep 2020 12:09:53 GMT

@Bilbo007,

In IPSEC tunnel failover scenario, you need to put static route path monitoring on the routes which are pointing to Primary tunnel interface. So If the destination mentioned in the path monitoring fails, that route will get automatically removed from FIB and the next route will get added into FIB which will point same destinations to the Secondary Tunnel interface. So for this, you need to have two routes for same tunnel destinations towards primary and secondary tunnel interfaces keeping higher metric on the secondary tunnel interface route. You will enable path monitoring on Primary tunnel interface route only. This source IP should be allowed via tunnel.

For this configuration, whatever destination you are adding under monitoring, that destination should be reachable via tunnel. Also you need to have IP configured on the tunnel interface which will act as a source IP while monitoring respective destination. This source IP should be allowed via tunnel.

If you try to monitor IP from different interface lets say outside/internet facing so it means you are enabling path monitoring for the route which is being used to reach public IP. Mostly it will be your default route pointing towards internet. With this, it won't create any impact on the tunnel interface route. But it may create problem on your default route which may create problems if destination becomes unreachable. So the scenario that you are saying wont work here.

In order to work tunnel failover using static route path monitoring properly, you need to enable path-monitoring on the tunnel static routes only (The way it is explained in first para).

There is one more option to configure tunnel monitoring e.g. using Tunnel Monitoring under IPSEC Tunnel Profile, in that case also you need to configure IP on the primary tunnel interface IP on Palo Alto Side.

Re: Static Route Path Monitoring for automated VPN failover

Bilbo007 — Wed, 16 Sep 2020 23:51:16 GMT

Thank you for all that information. You have answered my question perfectly.