- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-23-2021 05:53 AM
Hello All,
I am attempting to setup primary and backup route to the same IP through two different IPSec tunnels. I have attempted both PBF and Static Route Path Monitoring and cant seem to get either to work, in both cases is because there is no IP assigned directly to the tunnel interface.
Here's the layout:
Site A
PA-820 Int 3<-------------------> Int 1(Service provider Cisco ISR) route to 192.168.2.0/24 (Primary)
192.168.1.0/24
IPSec Tunnels to Sites B & C
Site B
PA-220 Int 3<-------------------> Int 1(Service provider Cisco ISR) route to 192.168.2.0/24 (Secondary)
192.168.2.0/24
IPSec Tunnels to Sites A & C
Sites C
PA-220
192.168.3.0/24
IPSec Tunnels to Sites A & B
The outcome I am looking for is any time Site A or C cannot get to the 192.168.2.0 network through Site A that it will automatically start routing 192.168.2.0 traffic to Site B.
Same for Site B, anytime it cannot get to 192.168.2.0 through its direct connected route, it will pass that traffic to Site A.
The way I have it configured now is with two static routes to 192.168.2.0 with the secondary route having a higher metric and distance but was really wanting a more solid solution that would remove the route the way path monitoring or PBF works.
06-23-2021 06:27 AM
Good Day
May I recommend that you simply add an IP address within the tunnel interface, so that you can do tunnel monitoring.
PBF, Static Route Path Monitoring, and Tunnel Monitoring would use IPs for either next hops or monitoring IPs.
06-23-2021 08:24 AM
I did try that. At site A, I added IP 192.168.1.5/24 to the tunnel interface but I get an error that the IP address overlaps with the IP addresses assigned to another interface. How do I fix this?
06-23-2021 08:52 AM
What I would recommend is to have a subnet (could be /30) that would be unique for each VPN.
So for a single VPN (have a different subnet... 10.99.99.1/30 on one side and 10.99.99.2/30 on the other, and continue to monitor)
That would be for tunnel monitoring (under your IPSec configuration)
For the static route path monitor, you could have your virtual router "ping" some IP on the remote side of the VPN.
I believe this may alleviate the need to set up tunnel interfaces, or a way to compliment them.
What other questions can we answer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!