05-24-2023 12:21 PM
05-24-2023 07:47 PM
Hello,
Your question is not clear, can you explain what you are trying to achieve on the VPN failover part?
05-25-2023 02:21 AM
2 branches have Paloalto and Meraki
Branch A palo alto configured 2 Ipsec VPNs and same branch B Meraki configured 2 Ipsec vpn.
Both IPSec tunnels are up but traffic is not passing...either I can disable the one tunnel the traffic is passing and wise versa. My requirement is needed to achieve the Ipsec failover between the two tunnels the peer end is Meraki.
Kindly help and suggest how to solve the failover... I have already tried path monitor and tunnel monitor but no luck.
thank you
05-25-2023 02:41 AM
Hello,
Still not clear. Can I confirm if your connectivity is as below?
If so, the tunnel monitoring should be able to remove the route and point it to the secondary ISP (using IPSec 2) during a failure. What is the 'monitor profile' action? It should be set to 'failover'.
You may refer to below KB:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO
05-25-2023 06:50 AM
Hi @AhamadullahM ,
To achieve IPsec failover you need both end of the tunnels to be able to detect issue and perform the failover, if only one side of the tunnel is performing the failover you will have asymmetric routing.
From Palo Alto point of view the setup is as follow:
- Palo Alto firewall is implementing route base VPN. Which means firewall relay on the routing table to decide which traffic to encrypt over each tunnel.
- To achieve IPsec failover you need to have two IPsec tunnel configured and two static routes for destination network pointing to each tunnel.
- By default PAN FW will not allow you to configure two static routes for same destination with exact same metric. Which means the second route will have higher metric - therefor in FIB only the first route will be installed and traffic will be sent over first tunnel.
- Tunnel monitor will detect when tunnel have issues and "disable" the logical tunnel interface associated with that tunnel. Because the interface is "down" all routes associated with it will be removed from FIB and firewall will start using the second route and start sending traffic over second tunnel.
- When tunnel monitor detect tunnel is up again, it will "enable" the tunnel interface and install the primary route (because it has the lowest metric) and start sending traffic over first tunnel.
So when you said "tried tunnel monitor, but no luck", you need to note that the cause could be in the Meraki.
Can you please provide more information how is Meraki configured to perform tunnel failover?
More details for "tried tunnel monitor, but no luck" - tunnel with the monitor went down even if it is actually up? Or traffic does not failover when first tunnel is down? What issue exactly do you experience?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
