GRE Tunnel to Zscaler failover

cancel
Showing results for 
Search instead for 
Did you mean: 

GRE Tunnel to Zscaler failover

L1 Bithead

Hello,

I have two Destination IPs (one for each GRE Tunnel to Zscaler). How would I need to configure my palo alto firewall to allow GRE Tunnel Failover, so that traffic only flows through the primary tunnel and flows through the secondary tunnel when the first one fails?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @smshafek 

The last time I had to deal with tunnels to Zscaler was before the GRE Tunnel support on Palo Alto FWs, so I haven't tested this personally. Can you please clarify for me:

- Are you using IPsec encryption - GRE over IPsec? Or it is pure GRE without IPsec.

- How have you configured the routing for traffic over the tunnels at the moment?

- Did you deployment is something similar - https://community.zscaler.com/t/gre-tunnel-from-palo-alto-firewall/8024/2

 

Assume you are using pure GRE without IPsec:

- You need to enable GRE keepalive under each tunnel

- Create two static routes with different metric

 

GRE keepalive will "disbale" the tunnel interface when it detects issues with the GRE tunnel. This on other hand will "disable" the static route pointing to that tunnel, which means firewall will use the second route. Upon primary GRE tunnel recovery, the primary static route will be available again and since it has lower metric, firewall will automatically switch to it.

 

Note: in the link above they are using PBF rules (I still don't get why people love to make their live miserable with PBF...) instead of static routes. In this case you need to use PBF path-monitor instead of relying on the GRE keepalives.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @smshafek 

The last time I had to deal with tunnels to Zscaler was before the GRE Tunnel support on Palo Alto FWs, so I haven't tested this personally. Can you please clarify for me:

- Are you using IPsec encryption - GRE over IPsec? Or it is pure GRE without IPsec.

- How have you configured the routing for traffic over the tunnels at the moment?

- Did you deployment is something similar - https://community.zscaler.com/t/gre-tunnel-from-palo-alto-firewall/8024/2

 

Assume you are using pure GRE without IPsec:

- You need to enable GRE keepalive under each tunnel

- Create two static routes with different metric

 

GRE keepalive will "disbale" the tunnel interface when it detects issues with the GRE tunnel. This on other hand will "disable" the static route pointing to that tunnel, which means firewall will use the second route. Upon primary GRE tunnel recovery, the primary static route will be available again and since it has lower metric, firewall will automatically switch to it.

 

Note: in the link above they are using PBF rules (I still don't get why people love to make their live miserable with PBF...) instead of static routes. In this case you need to use PBF path-monitor instead of relying on the GRE keepalives.

Hi @Astardzhiev ,

Thanks for the reply. I'm using pure GRE with no IPsec and I was following the documentation from zscaler.

The failover works now. It seems the solution is either, PBF and path monitor, OR keepalives. My configuration was as such that both path monitor and keepalives were active and it didn't work out. I've also configured the two static routes with different metrics.

On a side note, why is there PBF anyway?

Thanks again for the reply, it was really helpful.

Hi @smshafek ,

I am also wondering why people still suggesting the use of PBF for tunnel (IPsec to GRE) failover,... I am only guessing that this was the way long, long ago with earlier version of PanOS.

 

GRE keepalives wouldn't affect PBF routing, because PBF rules are enforced the same way as security - first match top to bottom. No matter if the tunnel is down and the next-hop is not available. Enabling path monitor in PBF rule, will disable that rule if the ping probes don't receive replies. But this is true, only if you use "fail-over" for monitoring profile, "wait-recover" will have different effect - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/pbf/path-mo...

 

So PBF rules with path-monitor and "fail-over" monitor profile, should work as well.

 

Anyway, I always recommend to stay away from PBF whenever possible, so should stick with the static routes with different metric and GRE keepalives.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!