I am trying to set a GRE tunnel between Palo Alto PA-850-ZTP and zscaler.
I have tunnel.1 and tunnel.2 created as Primary and Secondary.
static routed default towards Internet.
GRE tunnel Primary and secondary configured with Public local and peer IPs with tunnel interface .1 and .2 respectively.
PBF rule is created for Primary and secondary Tunnel:
I am able to ping from tunnel private IP of Palo alto to Zscaler side and all the logs are fine.
But when I try to failover to Secondary I cant ping to from palo tunnel Private IP to Zscaler tunnel private IP.
I failed over by disabling Primary GRE tunnel.
Please suggest what I am missing so that I could able to failover and use the secondary GRE tunnel.
#GRE_tunnel #failover GRE Tunnel to Zscaler failover
- In case you have made specific zones for your GRE Tunnels, have you tried establishing a policy in security that allows the different zones to reach each other? (GRE to WAN, LAN to GRE etc)
- From what I've tested, there are two options ;
a. Policy based forwarding + Path monitoring (in your case, have you enabled path monitoring?)
b. enabling GRE Keepalives
From there you would need to configure the routes so that traffic goes through the tunnels. The tunnels would need different metrics to allow failover.
Hope this could help! Feel free to update and we can look into it again if it doesn't work.
Hi @smshafek ,
There are security rules already created for tunnel zone.
I am using PBF and path monitoring.
As I mentioned earlier there is Primary Tunnel up and running but the issue only is with secondary tunnel.
Secondary tunnel is down and I have opened a case with Zscaler side and will troubleshoot further with them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!