This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AWS IPSec tunnel active/active HA with BGP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AWS IPSec tunnel active/active HA with BGP

jdemares
L1 Bithead

‎11-21-2022 02:05 PM

Looking for some help here.  I have an ongoing case with support concerning AWS tunnel issues.  My production FWs are active/active but not in sync.  Just always been that way, it's the way I inherited it.  I have 4 tunnels to AWS (2 on each FW) BGP all works fine but if I reboot one FW when it comes back it blows up all the tunnels.  So support says I need to have the FWs in sync and then build them with a floating IP on each side and that will fix all my issues.  So in my lab I have the same setup, got the FWs in sync but the documentation to build this is pretty much nonexistent.  Support gave me a doc from 2011 which has about a page on the topic and doesn't mention dynamic routing at all.  

So my first question is anyone doing this?  

From there my questions are a bit more all over the place.  First the document says a tunnel interface on each device needs to be defined with a unique IP.  Do you add the /30 network AWS gives you for each side and then create a floating IP for the BGP peer in your VR?  I have tried to build this a few different ways and can't get it to work.  The best I have had was 2 of the 4 tunnels up and none of the BGP to come up.  Meanwhile the tunnels I build the other way are all still up so with BGP peers working (just don't reboot).  

With them in sync it is strange what gets synced and what doesn't and then what will break the sync and need to be forced or fixed to get them back in sync.  Do you build all this from one side and just change the priority of the floating IP to the other device if you want some of the tunnels to live on the other FW?  Do you replicated everything to the other FW if it doesn't get synched?  Sorry like I said I am all over the place at the end of a frustrating day.

Thanks for any help.

0 Likes Likes
0 REPLIES 0
  • 1368 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks