This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GRE tunnel failover issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GRE tunnel failover issue

Gaurav.Singh
L1 Bithead

‎08-16-2022 05:44 AM

Hi Community,

 

I am trying to set a GRE tunnel between Palo Alto PA-850-ZTP and zscaler.

Issue:

I have tunnel.1 and tunnel.2 created as Primary and Secondary. 

GauravSingh_1-1660652111162.png

 

static routed default towards Internet.

GauravSingh_2-1660652222304.png

 

GRE tunnel Primary and secondary configured with Public local and peer IPs with tunnel interface .1 and .2 respectively.  

GauravSingh_0-1660652053031.png

PBF rule is created for Primary and secondary Tunnel:

GauravSingh_3-1660652596481.png

I am able to ping from tunnel private IP of Palo alto to Zscaler side and all the logs are fine.

 

But when I try to failover to Secondary I cant ping to from palo tunnel Private IP to Zscaler tunnel private IP. 

 

I failed over by disabling Primary GRE tunnel. 

 

Please suggest what I am missing so that I could able to failover and use the secondary GRE tunnel. 

 

Thanks. 

#GRE_tunnel  #failover GRE Tunnel to Zscaler failover  

0 Likes Likes
2 REPLIES 2

smshafek
L1 Bithead

‎08-21-2022 11:16 PM

Hi @Gaurav.Singh,

- In case you have made specific zones for your GRE Tunnels, have you tried establishing a policy in security that allows the different zones to reach each other? (GRE to WAN, LAN to GRE etc)
- From what I've tested, there are two options ;
a. Policy based forwarding + Path monitoring (in your case, have you enabled path monitoring?)
b. enabling GRE Keepalives
From there you would need to configure the routes so that traffic goes through the tunnels. The tunnels would need different metrics to allow failover.

Hope this could help! Feel free to update and we can look into it again if it doesn't work.

0 Likes Likes

Gaurav.Singh
L1 Bithead
In response to smshafek

‎08-22-2022 02:15 AM

Hi @smshafek ,

 

There are security rules already created for tunnel zone.

I am using PBF and path monitoring. 

 

As I mentioned earlier there is Primary Tunnel up and running but the issue only is with secondary tunnel. 

Secondary tunnel is down and I have opened a case with Zscaler side and will troubleshoot further with them.

 

 

0 Likes Likes
  • 1920 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks