In this post, I wanted to add a second ipsec tunnel between sites 1 and 2…and use tunnel monitoring to route via the secondary tunnel should the primary go down.
Tunnel-1 (primary) will utilize ISP1 between both sites. Tunnel 2, the secondary, will use ISP2
The basic tunnel build can be found in this post
Site to Site IPsec tunnel (Palo to Palo) via single ISP with Static Routing
And here’s some reference from Palo Alto HERE
Another nice reference is vpn \ tunnel CLI commands that can come in handy
Ok, so here is the topology – I’ve added ip address to the tunnels as well as shown in the screen shot…as they are necessary for monitoring.
Another thing to note, you want to add your tunnel interfaces to an interface management profile (tunnel-mgmt here), and allow ping, so they can be monitored. Also, both tunnel interfaces on each firewall are added to the tunnel-site x zone – which is part of a security rule allowing traffic to and from the tunnels - see below.
Here’s your IKE gateway config on site 1 firewall
And the ipsec tunnels
Next, you want to create your static routes in the default vr at each firewall, giving tunnel.1, the primary, a better metric so that’s preferred.
Next, you want to create a Monitor Profile – w the failover action - Network-Network Profiles-Monitor
And, the last thing is enable the tunnel monitor itself on the tunnels. I only enabled this on the Site 1 firewall, which should suffice with monitoring the ip address of the tunnel interfaces on the Site 2 end.
I will go ahead and kill the link on ISP 1 for site 1, and we should begin to route over the secondary tunnel.
The routing table on site 1 firewall now shows tunnel.2 as the path to site 2 – that’s great ! BUT, site 2 is still sending traffic via it’s primary tunnel, which is now down since site 1’s ISP 1 peer interface is not reachable, so we will indeed need to monitor on that end as well!
Ok, Now monitoring was added to the site 2 firewall tunnels , and the ISP 1 link at site 1 was taken down again.
You can now see, at site 2, both tunnels go down, and about a minute later, tunnel 2 is up
And you can see on site 2’s vr – tunnel 2 is now forwarding traffic to site 1 !
This is quite a cool little feature and provides resiliency and redundancy capabilities out of the box. There are other ways to accomplish this as well, and I’ll explore those in future posts Thanks for reading !..until next time.
No comments:
Post a Comment