I require the same ports to be forwarded to different servers in our Amazon VPC. I've set up 2 interfaces each with their own EIPs and attached them to the VM-300. Traffic flows properly to the first server and the IPsec tunnels work through the first interface. Setting up the 2nd public interface with the same settings as the first and creating the necessary security and NAT policies to allow traffic to flow to the 2nd server shows incoming traffic going to that interface's private IP, but the traffic ages out. If I restart the instance, none of the traffic makes it to either server and the IPsec tunnels will not come back up.
How are you setting up the routing? If you have two data plane interfaces with public IPs, they cannot both ingest the default route or you will get odd behavior. You'll need to create a more specific static route on at least one of those interfaces for bringing up the tunnel.
If you have both of the interfaces setup as DHCP, the default setting will be for them both to add the AWS gateway as the default route and you will get unpreditable results.
Another test to try is to allow ping to/from both ends of both VPNs and make sure they are routing symmetrically.
Yes, I have set both interfaces to use DHCP and using the defaul virtual router.
As it is currently configured, I have both public interfaces in the same public subnet of the VPC. Both servers that have traffic forwarded to them from their respective public interfaces with their NAT and security polices are on the same private subnet. All of the IPsec VPN tunnels are on the first public interface.
Are you saying I will need to setup a seperate AWS internet gateway and/or a seperate virtual router for each public interface?
If you have both dataplance interfaces configured as the interface for the default route, you will get assymetric routing for one of the interfaces.
Easiest solution is to remove the default route from one interface (say E1/2) and then setup a static route to use E1/2 for only the remote IPsec endpoint that should connect to that interface.
Then you will need to setup static routes on the tunnel interfaces for the specific routes that should use each of the VPN tunnels.
All of the IPsec VPN tunnels are on the first interface. My reason for having more than one public interface is for forwarding the same ports to different servers of the public IPs, in this case HTTP and HTTPS.
EIP 0 - Palo management interface
EIP 1 - Palo public interface 1 - ports 80 and 443 of server 1 (NAT and security policies)
All IPsec VPN tunnels
EIP 2 - Palo public interface 2 - ports 80 and 443 of server 2 (NAT and security policies)
Palo private interface as gateway for all servers in the VPC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!