AWS IPSEC VPN ISSUES with redundant tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS IPSEC VPN ISSUES with redundant tunnels

L2 Linker

Hi

 

We have around 6 different IPSEC tunnels configured on the PAN with AWS. However we are trying to troubleshoot an issue, which we think could be related to as asymmetric routing. For e.g if traffic is send from one tunnel, and AWS sends it via the 2nd tunnel, the PAN will be dropping these.

 

So we have temporary disabled one of the active tunnels - we have tried enabled ECMP on the palo alto, don't think this is working either. 

We have configured the tunnel on different security zones, so not sure if this is correct way?

 

Anybody have any experience with setting up 2 redundant tunnels with AWS, that works. The suggested options are enabling BGP - which we don't have experience with.

 

Kind Regards

Anu

1 accepted solution

Accepted Solutions

The issue was we were trying to seperate the 2 vpn tunnels in 2 seperate zone - which can make the pan think - packets are spoofed. Moving them to the same zone, did the trick

Thanks for the help.

View solution in original post

4 REPLIES 4

L5 Sessionator

in order for ECMP to work it must be configured on both ends and at this stage it is not supported in the AWS VGW unless something has changed. 

 

in Github for our transit VPC architecture we do have a manual deployment guide. In that manual deployment guide it will walk you through 

1. How configured VPN tunnel from PAN with AWS

2. How to configure BGP for the transit VPC architecture

 

The use case may not be completely the same but it should be close enough to get you going. Here are the links

 

https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/Transit_VPC_Manual_Bui...

 

Here is a link on how to propagate the default route after you have configured BGP

https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/Default_Route_to_Subsc...

 

Hope this helps. 

 

 

Thanks JPerry, for taking the time to suggest the 2 options. Am fairly new to the aws world, so excuss me if i use the wrong terminology. So from what I imaging, the transit vpc is using a VM series palo alto FW's in the AWS enviroment to connect to the on prem Palo alto's. So this will need to be an investment from our end to purchase the licences for this series. Is that correct.

 

Kind regards

 

Transit VPC is using two firewalls in a "Transit VPC Hub" to terminate VPN connections back to one or many VPC Spokes using the AWS VGW.  If you choose to connect your Transit VPC Hub back to an On-Prem location you can use any IPSec device you have on premises to accomplish this. 

 

 

TransitVPC.PNG

The issue was we were trying to seperate the 2 vpn tunnels in 2 seperate zone - which can make the pan think - packets are spoofed. Moving them to the same zone, did the trick

Thanks for the help.

  • 1 accepted solution
  • 14336 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!