ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
We have around 6 different IPSEC tunnels configured on the PAN with AWS. However we are trying to troubleshoot an issue, which we think could be related to as asymmetric routing. For e.g if traffic is send from one tunnel, and AWS sends it via the 2nd tunnel, the PAN will be dropping these.
So we have temporary disabled one of the active tunnels - we have tried enabled ECMP on the palo alto, don't think this is working either.
We have configured the tunnel on different security zones, so not sure if this is correct way?
Anybody have any experience with setting up 2 redundant tunnels with AWS, that works. The suggested options are enabling BGP - which we don't have experience with.
Solved! Go to Solution.
in order for ECMP to work it must be configured on both ends and at this stage it is not supported in the AWS VGW unless something has changed.
in Github for our transit VPC architecture we do have a manual deployment guide. In that manual deployment guide it will walk you through
1. How configured VPN tunnel from PAN with AWS
2. How to configure BGP for the transit VPC architecture
The use case may not be completely the same but it should be close enough to get you going. Here are the links
Here is a link on how to propagate the default route after you have configured BGP
Hope this helps.
Thanks JPerry, for taking the time to suggest the 2 options. Am fairly new to the aws world, so excuss me if i use the wrong terminology. So from what I imaging, the transit vpc is using a VM series palo alto FW's in the AWS enviroment to connect to the on prem Palo alto's. So this will need to be an investment from our end to purchase the licences for this series. Is that correct.
Transit VPC is using two firewalls in a "Transit VPC Hub" to terminate VPN connections back to one or many VPC Spokes using the AWS VGW. If you choose to connect your Transit VPC Hub back to an On-Prem location you can use any IPSec device you have on premises to accomplish this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!