03-22-2024 07:18 AM
Hi,
Need your suggestions on setting up BGP connection between active and passive setup on service connection.
Here is the eg:
One service connection with active/passive tunnel between Prisma access to Data center.
Diagram is attached.
BGP peer ip 10.1.1.1/31 on service connection and its peering on data center with two different subnet on 10.1.1.3/31 on tunnel.1 and 10.1.1.5/31 on tunnel.2 for primary and secondary connections.
Here is my question,
Is this setup is valid or not. If its valid\, how its implemented on Prisma access side.
Or we need to two different subnets on Service connection end for BGP peer.
Like Primary BGP connection from service tunnel.1 from 10.1.1.1/31 to 10.1.1.3/31 and secondary BGP connection from service tunnel.2 from 10.1.1.5.31 to 10.1.1.7/31.
03-28-2024 07:11 PM
@SivaSelvaraj wrote:
Hi,
Need your suggestions on setting up BGP connection between active and passive setup on service connection.
Here is the eg:
One service connection with active/passive tunnel between Prisma access to Data center.
Diagram is attached.
BGP peer ip 10.1.1.1/31 on service connection and its peering on data center with two different subnet on 10.1.1.3/31 on tunnel.1 and 10.1.1.5/31 on tunnel.2 for primary and secondary connections.
Here is my question,
Is this setup is valid or not. If its valid\, how its implemented on Prisma access side.
Or we need to two different subnets on Service connection end for BGP peer.
Like Primary BGP connection from service tunnel.1 from 10.1.1.1/31 to 10.1.1.3/31 and secondary BGP connection from service tunnel.2 from 10.1.1.5.31 to 10.1.1.7/31.
Hello @SivaSelvaraj , I can see you are looking to set up a dual Site to Site VPN connection between Prisma Access and Datacenter using a single Service Connection. Yes, this is possible using the secondary WAN feature under the Service connection setup while onboarding it to achieve active and passive tunnel setup. You need to be sure to create a unique IPSec tunnel for each remote ends; Prisma Access does not support reusing the same IPSec tunnel for secondary WANs when you have multiple termination points on the other side (Datacenter).
So, looking at your attached topology and your configurations so far, you need to set up two different subnets on the Prisma Access side. The Primary BGP connection from Service tunnel.1 from 10.1.1.1/31 (Prisma side) to 10.1.1.3/31 (DC side) and the secondary BGP connection from service tunnel.2 from 10.1.1.5.31 (Prisma side) to 10.1.1.7/31(DC side). You need to enable the secondary wan feature while onboarding your Service connection, then specify the secondary tunnel. On the BGP configuration settings, under the Primary WAN, configure your peer AS as specified in your diagram (65534) and your Peer Address (10.1.1.3/31) and under the secondary WAN, you can specify the Peer address as 10.1.1.7/31 with the same peer AS.
Reference Link: https://docs.paloaltonetworks.com/prisma/prisma-access/3-1/prisma-access-panorama-admin/prepare-the-....
I hope that answers your question.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
