This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

What is the role of an IP address on a tunnel interface?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is the role of an IP address on a tunnel interface?

Shuttermed
L2 Linker

‎03-29-2019 03:54 PM - edited ‎03-29-2019 04:07 PM

I noticed that in some of our SOHO sites, the tunnel interface for VPN to the data center has an IP address and in other cases it does not.  Can someone explain the value of having an IP address on the tunnel interface versus not? 

 

I'm working through an arp cache issue that arises on a SOHO site which does not specify an IP address but the site with the IP defined does not run into the same issue. It's long so I won't get into it here. 

 

A further oddity is that the PAN in the data center - it's route to the SOHO has a destination of the tunnel interface (tunnel.1) but no next hop IP address is defined, although the tunnel interface does have an IP address assigned to it. Then on the SOHO side, the route to the corporate network has the tunnel interface specified *and* a next hop value of the IP address of that same tunnel.

 

Insight appreciated.

1 person had this problem.
0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎03-29-2019 07:54 PM

@Shuttermed 

So the only time you actually need an IP on the tunnel interface is if you've setup tunnel monitoring, or you are using a dynamic routing protocol to route the traffic. In the instance where you have a next-hop address specified of that tunnel IP, you should find you are using dynamic routing on that traffic. In a normal situation without dynamic routing you actually don't need to specify a next-hop address at all, the peer firewall will handle the routing. 

 

SThatipelly
L4 Transporter
In response to BPry

‎10-06-2020 02:24 PM

@BPry   I have a requirement to enable dynamic routing(PIM and IGMP) on the production globalprotect VPN. 

I donot have an IP assigned to tunnel interface yet.  can the tunnel IP be any random one or does it have to be in the GP client IP pool?

0 Likes Likes
  • 5329 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks