Tunnel Monitoring for VPN between PA and ASA issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tunnel Monitoring for VPN between PA and ASA issues

L0 Member

I have read various articles but I am still not very clear on the tunnel monitoring, proxy Ids and the IP addresses on the tunnel and tunnel.1 interfaces I am supposed to be using.  I aslo am not sure what I need the ASA to setup to help me get our VPN tunnel running and ready for failover.

 

I tried to follow the configuration article "how to Configure a Palo Alto Networks Firewall with Dual ISPs and Automatice VPN Failover", but I get very confused when they talk about the PBF and the tunnel's needing IP addresses.  Which tunnels's need IP addresses, I have tunnel and tunnel.1 and what should those addresses be.  This article gets confusing when the other end is an ASA firewall, not a PA.  Their is just a Note at the end that gets into more details, but it doesn't show the details.

 

When I set the arbitrary ip address on the tunnel, do I use that IP address anyplace else or do I continue to use the peer address and remote internal IP address everyplace else?

 

I know the ASA needs to create a static route on there end for the return of that tunnel IP address, does that static route just sends that private IP back down the tunnel?

 

They discuss needing Proxy IDs and getting the mirror image of that Proxy ID on the ASA, Is the remote IP for that Proxy ID supposed to be the remote public ip or the remote internal IP or the specific IP of the device I am pinging.  How does the ASA setup their Proxy ID, the person I am dealing with has never setup a proxy ID on the ASA before.

 

I am sure I have more questions and that this post is a bit confusing, but this VPN setup is very new to me, let alone one with an ASA with the Dual ISPs.

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

This one might be a bit though, however I'll give it a try. The ASA will not build two tunnels to the same endpoint like a PAN so not sure how your dual ISP's will work in this scenario.

 

The PAN Proxy ID's are the same subnets that the ASA has in its Source Crypto Maps for the tunnel.

 

A Policy Base Forwarding config works by sending all traffic down one path unless that path is unavailabe, the monitor IP. Then use the check box for 'Disable this rule...' so that the Virtual Router takes over routing. THe PBF takes effect prior to the Virtual Router routes.

 

"When I set the arbitrary ip address on the tunnel, do I use that IP address anyplace else or do I continue to use the peer address and remote internal IP address everyplace else?"

 

The IP's for the tunnel interfaces can be anything you want, I use /30's for them. They do not have to be anywhere in the VPN config on either device. I only set them on the PAN's

 

"I know the ASA needs to create a static route on there end for the return of that tunnel IP address, does that static route just sends that private IP back down the tunnel?"

Yes that is correct but it does not have to be defined on the ASA. THe tunnel IP is configured on the PAN Tunnel Interface.

 

I hope this helps clarify things.

 

Cheers! 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

This one might be a bit though, however I'll give it a try. The ASA will not build two tunnels to the same endpoint like a PAN so not sure how your dual ISP's will work in this scenario.

 

The PAN Proxy ID's are the same subnets that the ASA has in its Source Crypto Maps for the tunnel.

 

A Policy Base Forwarding config works by sending all traffic down one path unless that path is unavailabe, the monitor IP. Then use the check box for 'Disable this rule...' so that the Virtual Router takes over routing. THe PBF takes effect prior to the Virtual Router routes.

 

"When I set the arbitrary ip address on the tunnel, do I use that IP address anyplace else or do I continue to use the peer address and remote internal IP address everyplace else?"

 

The IP's for the tunnel interfaces can be anything you want, I use /30's for them. They do not have to be anywhere in the VPN config on either device. I only set them on the PAN's

 

"I know the ASA needs to create a static route on there end for the return of that tunnel IP address, does that static route just sends that private IP back down the tunnel?"

Yes that is correct but it does not have to be defined on the ASA. THe tunnel IP is configured on the PAN Tunnel Interface.

 

I hope this helps clarify things.

 

Cheers! 

Cyber Elite
Cyber Elite

@kopps,

I had meant to reply to this one the other day, but never got the time to actually type something up. Essentially everything @OtakarKlier has told you is correct. The issue that you are going to run-into is that the ASA really doesn't have anything like the PBF feature, which is essentually the thing that would actually allow this to function. Since the tunnels would be accessing the same IPs, there isn't going to be a way to keep them both up on the ASA for immediate failover.  

Thanks for the response.

  • 1 accepted solution
  • 3041 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!