Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

VPN from two PAs to Azure with asymmetrical routing using BGP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN from two PAs to Azure with asymmetrical routing using BGP

L1 Bithead

We have two on-prem data centers connected with dual L3 EVC links between them on our core switches and we are using OSPF for routing. We also have PA firewalls deployed in each location and we are extending OSPF up to them. We are then connected to Azure over each of the PAs over an IPSEC VPN and using BGP and injecting the OSPF routes.

 

If I disable one of the IPSec tunnels, everything works perfectly.

 

The issue we are having is that Azure is sending return traffic back to the wrong data center location when both IPSec tunnels are up, then of course the firewall is dropping the traffic.

 

What is the best way with BGP to have the backup routes available, but make sure the traffic to each data center is for the local subnets in that data center.

 

For instance:

Data Center 1 - 192.168.30.0/24

Data Center 2 - 10.128.0.0/24

Azure - 10.140.0.0/16

 

I need to make sure that the VPN from Azure to DC1 has a route to 192.168.30.0/24 and 10.128.0.0/24 but the 10.128.0.0/24 should only be a backup route and should send the traffic to DC2 if that route is available.

 

Azure should send traffic to 10.128.0.0/24 to DC2 when that IPSec tunnel is up with a backup route to 192.168.30.0/24.

 

What is the process with BGP to force the route(s) that I'm advertising from DC1, which should be a backup route to DC2, to force it to be a backup route to stop the asymmetrical routing?

1 accepted solution

Accepted Solutions

L1 Bithead

Maybe an easier solution, but I was able to resolve this by creating two entries in the BGP routing instance on each of the Palo's.

 

Created two export rules in each of the Palo's.

 

Created a "locally significant routes" and entered the local networks to the match criteria, set the action of a local preference of 200 to make sure local routes at this site will route to that firewall.

 

Created a "remote routes" and entered the remote networks to the match criteria, set the action of a local preference of 100 and prepended 5 AS paths so that these routes will be available but not as attractive to the Azure IPSec tunnel. If the other IPSec tunnel at our other site is online, these routes are still available for Azure to use to connect to our other site.

 

Did this for both firewalls and is working great now. I have also failed over both firewalls and routing is working as it should.

View solution in original post

1 REPLY 1

L1 Bithead

Maybe an easier solution, but I was able to resolve this by creating two entries in the BGP routing instance on each of the Palo's.

 

Created two export rules in each of the Palo's.

 

Created a "locally significant routes" and entered the local networks to the match criteria, set the action of a local preference of 200 to make sure local routes at this site will route to that firewall.

 

Created a "remote routes" and entered the remote networks to the match criteria, set the action of a local preference of 100 and prepended 5 AS paths so that these routes will be available but not as attractive to the Azure IPSec tunnel. If the other IPSec tunnel at our other site is online, these routes are still available for Azure to use to connect to our other site.

 

Did this for both firewalls and is working great now. I have also failed over both firewalls and routing is working as it should.

  • 1 accepted solution
  • 4950 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!