Solved: Harmony SASE lab doc

the_rock · ‎2025-03-18

Hey guys,

I attached lab doc that my colleague and I are working on for a customer for Harmony SASE. Its not 100% complete yet, since we need to do more BGP testing, but I hope it can help others.

Andy

Best,
Andy

the_rock · ‎2025-03-19

Hey guys,

Wanted to update with something else my colleague and I discovered. So, I will give an example we used and this is with numbered vti's, since we did not want to spend too much time with troubleshooting why unnumbered did not work, plus we are not even sure its supported 🙂

Example for redundant tunnels (you need advanced license to do this, since basic one only allows for single tunnels for 1 POP, not 2 or more). Btw, since sd-wan is not supported with this yet, then load balancing the traffic among the multiple ISP links is not really an option, but from what we tested, all else seems to work fine.

loopback interface:

router ID 169.254.241.1

local as 65000

remote as 65001

peer 1 -> 169.254.100.254

peer 2 -> 169.254.200.254

fw1:

vti 1 -> 169.254.100.2

vt1 2 -> 169.254.200.2

vip 169.254.100.1 and 169.254.200.1

fw2:

vti 1 -> 169.254.100.3

vti2 -> 169.254.200.3

vip 169.254.100.1 and 200.1 (same as fw1)

overlay ID:

same settings, except, in sase portal, you would use for tunnel 1 sase IP as 169.254.100.254 and local ip as 169.254.100.1 (200.254 and 200.1 for tunnel 2)

If using loopback interface method, then you would use say 169.254.241.1 and say .254 for sase for tunnel 1 and then say 240.1 and 240.354 for tunnel 2 (like what I had in the document)

Now, here is the catch. If using OVERLAY id method, tunnels will show as PERMANENT from sase, but not from Check Point, which is not a big deal, as BGP is exchanged and its constantly checking the loopback ip anyway. Plus, they are set as permanent tunnels in community, just show as regular in sv monitor. if you use loopback interface method, they show as permanent.

Difference is, if using overlay ID, then tunnel is terminated on tunnel interface, rather than loopback one.

This is somewhat similar for Forti SASE (Fortinet solution), Prisma (PAN sase) and Aruba Axis is definitely more simple setup, as it uses connectors method. I assume its same for Cisco Connect, but since I had never seen it, cant really say 🙂

If anything else comes to mind and we end up testing, will update.

Best,

Andy

Best,
Andy

View solution in original post

the_rock · ‎2025-03-18

Something important to consider...if you are doing BGP through the tunnel, here is the key. So router id can be say 169.254.241.1 (like our lab) and then you create 2 peers say with IP 169.254.240.254 and 169.254.241.254, as it would let you use it as such for redundant tunnels. I attached what I mean.

Andy

Best,
Andy

the_rock · ‎2025-03-19

Also, overlay can be used instead of loopback, so say if router ID is 169.254.241.1, peers can be say 169.254.100.254 and 200.254, that works fine. For some reason, though tunnels are up, on CP side they dont show as permanent, just regular, so we will look into it.

Andy

Best,
Andy

the_rock · ‎2025-03-19

Hey guys,

Wanted to update with something else my colleague and I discovered. So, I will give an example we used and this is with numbered vti's, since we did not want to spend too much time with troubleshooting why unnumbered did not work, plus we are not even sure its supported 🙂

Example for redundant tunnels (you need advanced license to do this, since basic one only allows for single tunnels for 1 POP, not 2 or more). Btw, since sd-wan is not supported with this yet, then load balancing the traffic among the multiple ISP links is not really an option, but from what we tested, all else seems to work fine.

loopback interface:

router ID 169.254.241.1

local as 65000

remote as 65001

peer 1 -> 169.254.100.254

peer 2 -> 169.254.200.254

fw1:

vti 1 -> 169.254.100.2

vt1 2 -> 169.254.200.2

vip 169.254.100.1 and 169.254.200.1

fw2:

vti 1 -> 169.254.100.3

vti2 -> 169.254.200.3

vip 169.254.100.1 and 200.1 (same as fw1)

overlay ID:

same settings, except, in sase portal, you would use for tunnel 1 sase IP as 169.254.100.254 and local ip as 169.254.100.1 (200.254 and 200.1 for tunnel 2)

If using loopback interface method, then you would use say 169.254.241.1 and say .254 for sase for tunnel 1 and then say 240.1 and 240.354 for tunnel 2 (like what I had in the document)

Now, here is the catch. If using OVERLAY id method, tunnels will show as PERMANENT from sase, but not from Check Point, which is not a big deal, as BGP is exchanged and its constantly checking the loopback ip anyway. Plus, they are set as permanent tunnels in community, just show as regular in sv monitor. if you use loopback interface method, they show as permanent.

Difference is, if using overlay ID, then tunnel is terminated on tunnel interface, rather than loopback one.

This is somewhat similar for Forti SASE (Fortinet solution), Prisma (PAN sase) and Aruba Axis is definitely more simple setup, as it uses connectors method. I assume its same for Cisco Connect, but since I had never seen it, cant really say 🙂

If anything else comes to mind and we end up testing, will update.

Best,

Andy

Best,
Andy

the_rock · ‎2025-03-20

Another quick update...failover works well, we also tested "downing" both ISPs (one at a time of course : - ) and that went fine as well. P81 agent was able to access all it was supposed to.

Andy

Best,
Andy

Are you a member of CheckMates?

Harmony SASE lab doc