Need help to achieve IPsec VPN failover between Paloalto to Meraki

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help to achieve IPsec VPN failover between Paloalto to Meraki

L2 Linker

Hi All,

 

Need help to achieve IPsec VPN failover between Paloalto to Meraki

4 REPLIES 4

L4 Transporter

Hello,

Your question is not clear, can you explain what you are trying to achieve on the VPN failover part?

 

Anoopkumar
Network Security Engineer

L2 Linker

@AKuzhuppilly 

 

2 branches have Paloalto and Meraki

 

Branch A palo alto configured 2 Ipsec VPNs and same branch B Meraki configured 2 Ipsec vpn.

 

Both IPSec tunnels are up but traffic is not passing...either I can disable the one tunnel the traffic is passing and wise versa. My requirement is needed to achieve the Ipsec failover between the two tunnels the peer end is Meraki.

 

Kindly help and suggest how to solve the failover... I have already tried path monitor and tunnel monitor but no luck.

 

thank you

 

 

L4 Transporter

Hello,

Still not clear. Can I confirm if your connectivity is as below?

 

PA-Meraki.png

 

If so, the tunnel monitoring should be able to remove the route and point it to the secondary ISP (using IPSec 2) during a failure. What is the 'monitor profile' action? It should be set to 'failover'.

You may refer to below KB:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

 

 

Anoopkumar
Network Security Engineer

Hi @AhamadullahM ,

To achieve IPsec failover you need both end of the tunnels to be able to detect issue and perform the failover, if only one side of the tunnel is performing the failover you will have asymmetric routing.

 

From Palo Alto point of view the setup is as follow:

- Palo Alto firewall is implementing route base VPN. Which means firewall relay on the routing table to decide which traffic to encrypt over each tunnel.

- To achieve IPsec failover you need to have two IPsec tunnel configured and two static routes for destination network pointing to each tunnel.

- By default PAN FW will not allow you to configure two static routes for same destination with exact same metric. Which means the second route will have higher metric - therefor in FIB only the first route will be installed and traffic will be sent over first tunnel.

- Tunnel monitor will detect when tunnel have issues and "disable" the logical tunnel interface associated with that tunnel. Because the interface is "down" all routes associated with it will be removed from FIB and firewall will start using the second route and start sending traffic over second tunnel.

- When tunnel monitor detect tunnel is up again, it will "enable" the tunnel interface and install the primary route (because it has the lowest metric) and start sending traffic over first tunnel.

 

So when you said "tried tunnel monitor, but no luck", you need to note that the cause could be in the Meraki.

Can you please provide more information how is Meraki configured to perform tunnel failover?

More details for "tried tunnel monitor, but no luck" - tunnel with the monitor went down even if it is actually up? Or traffic does not failover when first tunnel is down? What issue exactly do you experience?

  • 2402 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!