This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AWS VPN Tunnel and Path Monitoring

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AWS VPN Tunnel and Path Monitoring

eridavis
L1 Bithead

‎06-30-2020 08:07 AM

I have 2 AWS instances(Prod and Stage) each with redundant VPN tunnels to the same remote end Palo.  I setup path monitoring for each so that when one tunnel is down, the route is removed and the backup route is put in the FIB.  This only works with our stage instance and not our prod instance.  In each case, the tunnel state on the AWS side does not reflect the fact that I brought the tunnel down on the Palo side.  We also have seen times when the AWS tunnel was down, but the Palo side showed the tunnel as up.  Has anyone seen this or is anyone using AWS with VPN to Palos and have failover working properly?  

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎06-30-2020 10:06 AM

@eridavis,

What is your ping interval and count set to, along with your preemptive hold value? What version of PAN-OS are you running?

 

This should just work, regardless if you VM-Series is running in AWS, Azure, or ESXi there really isn't anything special to the configuration due to hypervisor being utilized. The tunnels will likely show as up unless you've setup tunnel-monitoring so the actual tunnels are checking status; you're kind of already doing that with the path-monitoring on the static routes, but that doesn't really do anything as far as the actual tunnel itself is concerned. 

0 Likes Likes

eridavis
L1 Bithead
In response to BPry

‎06-30-2020 10:17 AM

@BPry Interval is default of 3 seconds and hold is default of 2 mins.  Pan-OS 8.1.11.  To clarify, we only have Palo at one end.  WE are using AWS VPV/VPN natively on the AWS side.  The issue is that in our Prod instance the VPN failover is not working.  I manually shutdown the primary IPsec tunnel and the path monitor removes the active route properly and adds the backup route to the FIB as it should.  The path monitor shows the tunnel is down and the traffic leaves the 2nd tunnel interface but no traffic comes back.  Also, the AWS side does not show the tunnel being down in either the prod or stage instances, so I'm not sure how AWS is routing traffic over the tunnels.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to eridavis

‎06-30-2020 11:27 AM

Hello,

This could be a config issue on the AWS side? I would double check both sides to make sure the proper settings are configured.

 

Regards,

0 Likes Likes
  • 3826 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks