Site to Site tunnel

L7 Applicator

Re: Site to Site tunnel

It can be any IP.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Tags (2)
L7 Applicator

Re: Site to Site tunnel

Hello,

While it can be any IP. I always recommend you use one that is as close to the VPN endpoint as possible. So yes I would recommend the Tunnel IP. 

 

reason:

Lets say I have the following:

 

switchA --PANA--VPN--PANB--switchB

 

If I use switchB's IP for the PANA monitoring, if that switch goes down/reboots the tunnel will fail over.

If I use PANB's IP for PANA monitoring, it will only fail over if the IP of PANB is not reachable.

 

Just my thoughts.

L2 Linker

Re: Site to Site tunnel

Hi Raido and Otakar

 

Thanks for your assistance, it is really useful

 

I have Tunnel 1 and Tunnel 2 (Backup). Both phases are OK, green, but in the main interface "Tunnel 1" the status appears in red.

 

I read this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTeCAK

Phase 1 - OK
Phase 2 - OK
Status = Red

 

"RED indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable."

 

I disabled the PBF policy and Tunnel 2, but traffic continues to come out of tunnel 2, I can not understand.

 

Would they know what it could be?

L2 Linker

Re: Site to Site tunnel

Here comes my doubt too

Network - IPSec Tunnels

IpsecTunnel.PNGIpsecTunnel.PNG

Here I put the profile and the IP address is that of a host that is 24 hours UP on the other side.

In the PBF

Policies - PBF

PBF.PNGPBF.PNG

Here it is necessary to place

 the IP address again if I choose the profile?

 

 

In "Destination" within the PBF should I enter the network address? or the address of the Gateway?

Example:
Network: 192.168.2.0/24
Gateway: 192.168.2.1/24

 

 

PBFDest.PNG

 

I do not understand well the operation of "Negate"

L7 Applicator

Re: Site to Site tunnel

Hello,

Negate just means 'Not Equal To' so lets say you want everything to route except a specific /24 you would enter that /24 network and select negate.

 

The monitor is just a ping so it can be anything. The PBF is a route so it needs to be the IP of the next hop router.

 

If the interface is Red, then its down and something is not happy, i.e. needs to be investigated.

 

Hope that makes sense. 

L2 Linker

Re: Site to Site tunnel

Hi Otakar,

 

Thanks you so much for your assistance

Really it help me

 

its necessary the "negate" or if I don't check this happens something?

 

Thanks for the PBF, then I'll put the IP of the next router there.

 

 

 

L7 Applicator

Re: Site to Site tunnel

Hello,

So the Negate translates to "not equal to'. Let ssay you have 192.168.0.0/16 on your internal network. Now lets say you want all traffic 'except' a certain subnet(s). This is where you would use negate so that the rule is 'cleaner'

 

example:

i dont want the policy to apply to the following subnets: 192.168.199.0/24 and 192.168.66.0/25. 

If you were to apply a 'Permit' policy you would have to list out all the subnets except those you dont want. So instead you use the Negate. 

image.png

What this does is allows all subnets 'Except' the ones listed.

 

Hope that makes sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!