AWS VPN Tunnel and Path Monitoring

Reply
Highlighted
L1 Bithead

AWS VPN Tunnel and Path Monitoring

I have 2 AWS instances(Prod and Stage) each with redundant VPN tunnels to the same remote end Palo.  I setup path monitoring for each so that when one tunnel is down, the route is removed and the backup route is put in the FIB.  This only works with our stage instance and not our prod instance.  In each case, the tunnel state on the AWS side does not reflect the fact that I brought the tunnel down on the Palo side.  We also have seen times when the AWS tunnel was down, but the Palo side showed the tunnel as up.  Has anyone seen this or is anyone using AWS with VPN to Palos and have failover working properly?  

Tags (3)
Highlighted
Cyber Elite

Re: AWS VPN Tunnel and Path Monitoring

@eridavis,

What is your ping interval and count set to, along with your preemptive hold value? What version of PAN-OS are you running?

 

This should just work, regardless if you VM-Series is running in AWS, Azure, or ESXi there really isn't anything special to the configuration due to hypervisor being utilized. The tunnels will likely show as up unless you've setup tunnel-monitoring so the actual tunnels are checking status; you're kind of already doing that with the path-monitoring on the static routes, but that doesn't really do anything as far as the actual tunnel itself is concerned. 

Highlighted
L1 Bithead

Re: AWS VPN Tunnel and Path Monitoring

@BPry Interval is default of 3 seconds and hold is default of 2 mins.  Pan-OS 8.1.11.  To clarify, we only have Palo at one end.  WE are using AWS VPV/VPN natively on the AWS side.  The issue is that in our Prod instance the VPN failover is not working.  I manually shutdown the primary IPsec tunnel and the path monitor removes the active route properly and adds the backup route to the FIB as it should.  The path monitor shows the tunnel is down and the traffic leaves the 2nd tunnel interface but no traffic comes back.  Also, the AWS side does not show the tunnel being down in either the prod or stage instances, so I'm not sure how AWS is routing traffic over the tunnels.

Highlighted
Cyber Elite

Re: AWS VPN Tunnel and Path Monitoring

Hello,

This could be a config issue on the AWS side? I would double check both sides to make sure the proper settings are configured.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!