Solved: Re: Route-based VPN failover issue

AaronCP · ‎2022-08-21

Good evening,

I have set up a route-based VPN between our on-prem cluster to Azure Network Gateway. We experience a disruption to the VPN tunnel when failing over between the cluster members. As soon as the tunnel is reset by the remote peer, the tunnel is immediately re-established. The VTI is configured identically on both gateways, as is the routing. I can see in the gateway object under Network Management that the VTI is configured with a VIP, with the correct addresses for both cluster members. When running vpn tu tlist on both members, I can see the SAs are synched.

Is there any additional configuration required for full redundancy on VTIs/route based VPNs?

R80.40 T161

Thanks,

Aaron.

the_rock · ‎2022-08-21

I cant recall exact setting now in web UI, but make sure in VTI settings that peer name (I believe is option when configuring VTI) is EXACTLY the same as what you gave it for interoperable object for both members, because if not, it will never work properly when there is a failover.

Also, static route to Azure side would use default gateway that is IP on Azure side net thats not in use. So say if your master has vti ip 169.254.10.55 and other one is 169.254.10.56, then vip can be say .57 and default gateway to reach azure can be say .60, as long as its not used anywhere on Azure side.

Message me offline if you need help, I can check this for customer we did it between on prem and cloud for few tunnels and works fine with failover and also its all route based with VTIs. Also, MAKE SURE that default gateway I was referring to is the SAME ip address as what you have when you edit topology for VTI and then under remote address field under vpn tunnel tab (2nd from the top on the left).

Andy

View solution in original post

the_rock · ‎2022-08-21

I cant recall exact setting now in web UI, but make sure in VTI settings that peer name (I believe is option when configuring VTI) is EXACTLY the same as what you gave it for interoperable object for both members, because if not, it will never work properly when there is a failover.

Also, static route to Azure side would use default gateway that is IP on Azure side net thats not in use. So say if your master has vti ip 169.254.10.55 and other one is 169.254.10.56, then vip can be say .57 and default gateway to reach azure can be say .60, as long as its not used anywhere on Azure side.

Message me offline if you need help, I can check this for customer we did it between on prem and cloud for few tunnels and works fine with failover and also its all route based with VTIs. Also, MAKE SURE that default gateway I was referring to is the SAME ip address as what you have when you edit topology for VTI and then under remote address field under vpn tunnel tab (2nd from the top on the left).

Andy

AaronCP · ‎2022-08-21

Hey @the_rock, I'll send you a PM.

the_rock · ‎2022-08-22

Thanks, responded : - )

Chris_Atkinson · ‎2022-08-21

If using dynamic routing (BGP) is graceful restart configured?

CCSM R77/R80/ELITE

AaronCP · ‎2022-08-21

Hey @Chris_Atkinson. We're not using any dynamic routing, just two static routes.

the_rock · ‎2022-08-22

@AaronCP and myself did remote session and we are pretty sure that reason why this fails is due to routing. We went through the settings on VTI in web UI and saw that remote peer seemed to be wrong, which is what was used for static router as well as default gateway. Once thats fixed, please let us know if that works 🙂

Cheers,

Andy

AaronCP · ‎2022-08-23

Hey @the_rock,

Changing the remote peer as you suggested has resolved the issue! When we failover to the standby member, the VPN tunnel stays up!

Thank you for your help with this! 😊

the_rock · ‎2022-08-23

Next time, I have a fee, 100 euros, I take British pounds as well ; - ). Just kidding, it was my pleasure to help you!!

Cheers mate.

Andy

Are you a member of CheckMates?

Route-based VPN failover issue