03-25-2022 07:00 AM
Hello,
I have a vpn ipsec in production, now I have to add a secondary remote peer.
It's my first time I have to configure a 2nd peer.
If I understood well I can't simply add a seocndary peer to the VPN but I have to configure a new psec but the difference is the static route related the remote network.
Example I should have:
Remote net: 10.1.0.0/24
Route 1 10.1.0.0/24 metric 10 Tunnel.1
Route 2 10.1.0.0/24 metric 20 Tunnel.2
If the primary peer stop responding how I can turn off the Route 1?
The tunnel.1 and .2 don't have an ip and the inside int of the PA it's not included in the local network
Can I add an ip to Tunnel.1 like 192.168.1.1 and nat it with the external IP of the PA and set the Path monitor of the "Route 1" like
Source:192.168.1.1
Destination: Primary Peer
So the Route 1 ping the Primary peer If the peer stop responding the PA remove from the routing table the Route 1 and the Secondary VPN start working because the Route 2 it's the only active.
03-25-2022 07:31 AM - edited 03-25-2022 07:36 AM
Hi @ChristianBolelli ,
Yes, you need to have separate VPN tunnel with secondary peer IP and you need to assign the IP to the tunnel interface. You just need to make sure that the IP that you are assigning to the tunnel interface should be from your local network which is part of tunnel encryption domain. Basically that source IP should be reachable towards the destination servers over tunnel. If you are doing NAT for the existing tunnel traffic, then you need to do NAT for tunnel interface IP also. This traffic will travel till destination via tunnel.
Once you have this set, you can enable the path monitoring on the tunnel.1 route i.e. Route 1 10.1.0.0/24 metric 10 Tunnel.1 and take one of the ICMP responding server from peer side to add it under path monitoring. Once Primary tunnel fails, configured destination server will stop responding to ICMP and once path monitoring fails, Palo Alto will remove route towards tunnel.1 from FIB. And traffic will then start sending to the secondary tunnel i.e. tunnel.2
Here, I have considered that you are trying to configure two tunnels (Primary & Secondary) for same encryption domain from your Palo Alto.
Hope it helps!
03-25-2022 07:42 AM
Hello,
so the Path monitor MUST pass through the tunnel? In my example the Tunnel.1 ip shoud be natted with the PA outside interface and reach the public ip of the remote peer. The idea is to monitor the public ip and not and internal resources.
03-25-2022 08:19 AM - edited 03-25-2022 08:26 AM
Hi @ChristianBolelli Will your peer allow ICMP traffic on their public IP ?
Also in addition to this - If they allows and you configure but it won't help you in some scenarios like given below -
Your tunnel having issues like Phase-1 and/or Phase-2 is down. In this case, peer end public IP may respond to ICMP but tunnel resources may become unreachable.
04-06-2022 01:41 AM
Hello,
Yes they allow icmp traffic
I have now a lab. I've set an ip on the Tunnel.1 and a Path monitor as below:
Tunnel.1 192.168.1.1/32
Static route
Route1
10.10.10.0/24 interface Tunnel.1
Path monitor
Src: 192.168.1.1/32
Dst: Remote Peer ip
On Security rule
Src:192.168.1.1/32
dst: Remote-PeerIP
Application: Ping/icmp
Nat
original source: 192.168.1.1/32
Original dst:Remote-PeerIP
Translated src: Dynamic ip and port. with the Palo alto Public IP
Translated dst: original
From CLI
ping source 192.168.1.1 host Remote-PeerIP
Answers as expected and we capture the traffic on test remote ASA and we see the icmp packets coming from Palo Alto public ip.
But on Path monitor tab still in "down" state.
04-07-2022 01:29 AM
Hello,
I'm trying to understand if it's possible to monitor the Remote Peer IP(Customer request) instead of a resource inside the tunnel IPSEC.
So the ip assign to Tunnel.1 it not included in the ProxyID because I want to ping the Peer- ip
Via CLI the ping works:
PA>ping source "Tunnel.1-IP" host "Remote-Peer-IP"
But with the same data on path monitor it fails.
04-07-2022 01:44 AM
To make short a long story, I want to know if I can define a Secondary VPN that switches when the Remote Peer IP go down because the Customer want to avoid to monitor a resource inside the VPN.
(Like on the ASA where we can simply set the secondary peer and it works without any other conf)
04-07-2022 09:41 AM
Hello,
If you have say OSPF setup on both VPN endpoints, it should see the down link and route around it.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
