I noticed that in some of our SOHO sites, the tunnel interface for VPN to the data center has an IP address and in other cases it does not. Can someone explain the value of having an IP address on the tunnel interface versus not?
I'm working through an arp cache issue that arises on a SOHO site which does not specify an IP address but the site with the IP defined does not run into the same issue. It's long so I won't get into it here.
A further oddity is that the PAN in the data center - it's route to the SOHO has a destination of the tunnel interface (tunnel.1) but no next hop IP address is defined, although the tunnel interface does have an IP address assigned to it. Then on the SOHO side, the route to the corporate network has the tunnel interface specified *and* a next hop value of the IP address of that same tunnel.
So the only time you actually need an IP on the tunnel interface is if you've setup tunnel monitoring, or you are using a dynamic routing protocol to route the traffic. In the instance where you have a next-hop address specified of that tunnel IP, you should find you are using dynamic routing on that traffic. In a normal situation without dynamic routing you actually don't need to specify a next-hop address at all, the peer firewall will handle the routing.
@BPry I have a requirement to enable dynamic routing(PIM and IGMP) on the production globalprotect VPN.
I donot have an IP assigned to tunnel interface yet. can the tunnel IP be any random one or does it have to be in the GP client IP pool?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!