Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-06-2021 11:04 PM
We have two on-prem data centers connected with dual L3 EVC links between them on our core switches and we are using OSPF for routing. We also have PA firewalls deployed in each location and we are extending OSPF up to them. We are then connected to Azure over each of the PAs over an IPSEC VPN and using BGP and injecting the OSPF routes.
If I disable one of the IPSec tunnels, everything works perfectly.
The issue we are having is that Azure is sending return traffic back to the wrong data center location when both IPSec tunnels are up, then of course the firewall is dropping the traffic.
What is the best way with BGP to have the backup routes available, but make sure the traffic to each data center is for the local subnets in that data center.
For instance:
Data Center 1 - 192.168.30.0/24
Data Center 2 - 10.128.0.0/24
Azure - 10.140.0.0/16
I need to make sure that the VPN from Azure to DC1 has a route to 192.168.30.0/24 and 10.128.0.0/24 but the 10.128.0.0/24 should only be a backup route and should send the traffic to DC2 if that route is available.
Azure should send traffic to 10.128.0.0/24 to DC2 when that IPSec tunnel is up with a backup route to 192.168.30.0/24.
What is the process with BGP to force the route(s) that I'm advertising from DC1, which should be a backup route to DC2, to force it to be a backup route to stop the asymmetrical routing?
01-09-2021 09:24 AM
Maybe an easier solution, but I was able to resolve this by creating two entries in the BGP routing instance on each of the Palo's.
Created two export rules in each of the Palo's.
Created a "locally significant routes" and entered the local networks to the match criteria, set the action of a local preference of 200 to make sure local routes at this site will route to that firewall.
Created a "remote routes" and entered the remote networks to the match criteria, set the action of a local preference of 100 and prepended 5 AS paths so that these routes will be available but not as attractive to the Azure IPSec tunnel. If the other IPSec tunnel at our other site is online, these routes are still available for Azure to use to connect to our other site.
Did this for both firewalls and is working great now. I have also failed over both firewalls and routing is working as it should.
01-09-2021 09:24 AM
Maybe an easier solution, but I was able to resolve this by creating two entries in the BGP routing instance on each of the Palo's.
Created two export rules in each of the Palo's.
Created a "locally significant routes" and entered the local networks to the match criteria, set the action of a local preference of 200 to make sure local routes at this site will route to that firewall.
Created a "remote routes" and entered the remote networks to the match criteria, set the action of a local preference of 100 and prepended 5 AS paths so that these routes will be available but not as attractive to the Azure IPSec tunnel. If the other IPSec tunnel at our other site is online, these routes are still available for Azure to use to connect to our other site.
Did this for both firewalls and is working great now. I have also failed over both firewalls and routing is working as it should.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
