- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-28-2020 12:29 AM
Hello
First time posting and looking for help on solution ............i have a PA fw in AWS and i am attempting to setup a VPN to AWS transit GW.
FW set up with ÖUTSIDE int using DHCP and and EIP attached ...
AWS TGW (VPN) -------------------------------------------------AWS(single FW with DHCP)
52.x.x.x -------------------------------------------------EIP-3.x.x.x attached to 10.0.2.10 (-----outside int (FW) inside int
18.x.x.x
AWS does not initiate session, so firewall must initiate. It works fine if i config a static IP address on Firewall outside interface but if
i leave it as DHCP it seems to work on and off ......I have been advised that i must leave the PA interface address as DHCP based on
design guidelines. So i have messed around with IPSEC settings in the hope of getting tunnels to come up by setting the Local and Remote peer addresses but not luck .......
Any ideas or advice please ..............................and is it true that i should not set fixed IP on interfaces of FW
Thanks in advance for advice and help ..
07-28-2020 10:39 AM
he tunnel build process is documented here.
https://www.paloaltonetworks.com/resources/reference-architectures/aws
In general, if it works intermittently, check your timers in your IKE and IPSec profiles. Also, ensure that only the VPN ethernet interface has the "Automatically create default route pointing to DG provided by server". If you have multiple interfaces, you may end up with 2 default routes in the VR that are competing with each other. If you have EIPs on multiple interfaces, then you give each its own virtual router with a 0.0.0.0/0 route pointing outbound.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0
08-05-2020 01:44 AM
Hello
Thanks for your response but sadly that was not the correct solution and i am still working on the case ....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!