Static Route Path Monitoring for automated VPN failover

Reply
Highlighted
L0 Member

Static Route Path Monitoring for automated VPN failover

Hello,

I would like to know if static route path monitoring can monitoring outside of the interface bound to the static route?

 

For example, I want to monitor across a VPN tunnel and if the test fails, withdraw the static route so traffic fails over to the backup VPN tunnel. I don't have a IP addresses (within the tunnel) on the destination side of the VPN tunnel which is always up and reachable. To get around this, I was hoping to monitor from a different interface to the public IP address of the destination VPN tunnel endpoint e.g. Internet facing interface of my firewall to the internet facing interface of the remote firewall.

 

Is this scenerio possible or can static route path monitoring only monitor a destination which is reachable from the interface configured on the static route? Are there any other features that could get around this issue.

 

Thanks,

 


Accepted Solutions
Highlighted
L6 Presenter

@Bilbo007,

 

In IPSEC tunnel failover scenario, you need to put static route path monitoring on the routes which are pointing to Primary tunnel interface. So If the destination mentioned in the path monitoring fails, that route will get automatically removed from FIB and the next route will get added into FIB which will point same destinations to the Secondary Tunnel interface. So for this, you need to have two routes for same tunnel destinations towards primary and secondary tunnel interfaces keeping higher metric on the secondary tunnel interface route. You will enable path monitoring on Primary tunnel interface route only.  This source IP should be allowed via tunnel.

 

For this configuration, whatever destination you are adding under monitoring, that destination should be reachable via tunnel. Also you need to have IP configured on the tunnel interface which will act as a source IP while monitoring respective destination.  This source IP should be allowed via tunnel.

 

If you try to monitor IP from different interface lets say outside/internet facing so it means you are enabling path monitoring for the route which is being used to reach public IP. Mostly it will be your default route pointing towards internet. With this, it won't create any impact on the tunnel interface route. But it may create problem on your default route which may create problems if destination becomes unreachable. So the scenario that you are saying wont work here.

 

In order to work tunnel failover using static route path monitoring properly, you need to enable path-monitoring on the tunnel static routes only (The way it is explained in first para).

 

There is one more option to configure tunnel monitoring e.g. using Tunnel Monitoring under IPSEC Tunnel Profile, in that case also you need to configure IP on the primary tunnel interface IP on Palo Alto Side.



Mayur

View solution in original post


All Replies
Highlighted
L6 Presenter

@Bilbo007,

 

In IPSEC tunnel failover scenario, you need to put static route path monitoring on the routes which are pointing to Primary tunnel interface. So If the destination mentioned in the path monitoring fails, that route will get automatically removed from FIB and the next route will get added into FIB which will point same destinations to the Secondary Tunnel interface. So for this, you need to have two routes for same tunnel destinations towards primary and secondary tunnel interfaces keeping higher metric on the secondary tunnel interface route. You will enable path monitoring on Primary tunnel interface route only.  This source IP should be allowed via tunnel.

 

For this configuration, whatever destination you are adding under monitoring, that destination should be reachable via tunnel. Also you need to have IP configured on the tunnel interface which will act as a source IP while monitoring respective destination.  This source IP should be allowed via tunnel.

 

If you try to monitor IP from different interface lets say outside/internet facing so it means you are enabling path monitoring for the route which is being used to reach public IP. Mostly it will be your default route pointing towards internet. With this, it won't create any impact on the tunnel interface route. But it may create problem on your default route which may create problems if destination becomes unreachable. So the scenario that you are saying wont work here.

 

In order to work tunnel failover using static route path monitoring properly, you need to enable path-monitoring on the tunnel static routes only (The way it is explained in first para).

 

There is one more option to configure tunnel monitoring e.g. using Tunnel Monitoring under IPSEC Tunnel Profile, in that case also you need to configure IP on the primary tunnel interface IP on Palo Alto Side.



Mayur

View solution in original post

Highlighted
L0 Member

Thank you for all that information. You have answered my question perfectly.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!