This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo alto Active/passive HA on azure with IPsec VPN tunnel

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo alto Active/passive HA on azure with IPsec VPN tunnel

louey11
L0 Member

‎06-11-2020 09:08 AM

Hello,

 

I am deploying an Active/Passive Palo Alto HA VM's on Azure with an external and internal loadbalancer topology (picture below), I know that the NAT is done by the public Loadbalancer so no need for public IP address on the VM's interfaces so need for public IP on interfaces for this purpose, but i need to set a VPN IPsec connections between my PA-VM's and other sites, so how would I configure the VPN IPsec tunnels, should I put the Public IP of the loadBalancer on the peer IP or the private IP of the VM's or should I literally configure my PA-VM's with Public IP on external interfaces.

 

I am really blocked with this point, if anyone could help i will be really grateful.

 

Question forum palo ip public optimized.PNGThank you in advance

 

Louey

2 people had this problem.
0 Likes Likes
4 REPLIES 4

skumar1
L2 Linker

‎06-26-2020 07:11 AM

@louey11 

 

You can use the private ip address on the firewall itself but make sure you use local identifier and remote identifier option on both sides of the tunnel to make this work. (imagine if your side ip is dynamic ip then how do you configure, the same way)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHVCA0

 

Cheers!

Suresh

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to skumar1

‎06-26-2020 11:28 AM

@louey11,

If you don't want to use a dynamic configuration, which is by far the easiest, I would recommend that you setup a public IP directly on the PAs and not go through the load balancer. While it will work, it'll take a bit of tweaking to ensure that the load balancer isn't causing any issues since it'll be considered a long running session. 

0 Likes Likes

Thanjalo_Thankappan
L0 Member

‎11-24-2020 01:39 AM

Hi

 

Did you manage to get this problem resolved? I am going through a similar project at the moment and would appreciate any feedback that you may have.

 

Thanks

0 Likes Likes

BilalMohd
L1 Bithead

‎09-01-2023 01:00 AM

@louey11 Did you find the solution as it is a very old thread. If yes, can you please share any suggestions or documentations for using this setup of having external load balancer in front of PA VMs which are in Active/Passive mode. I am still looking for a solution on this. Any help would be appreciated @BPry .

0 Likes Likes
  • 5856 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks