Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
5
Helpful
5
Replies

RV340 with FAILOVER vpn tunnel does not work

aezio80
Level 1
Level 1

‎09-14-2021 08:04 AM

Hi,

 

I have an RV340 firewall and I configure it with only WAN1.

I have to connect it to another third part firewall by using IPSEC s2s.

The destination firewall has two WAN and I have configured the s2s with keep alive, 

DPD and tunnel backup with the wan2 of destination firewall and using my WAN1.

Normally s2s working fine but when I test the tunnel backup by disconnecting the WAN1 of destination firewall 

the s2s doesn't work. If I configure the s2s directly with ip WAN2 of destination firewall, it works fine.

 

Can you help me? Thanks

Labels:
0 Helpful
5 Replies 5

nagrajk1969
Spotlight
Spotlight

‎09-14-2021 03:10 PM

Hi

 

1. The config that you applied on RV340 is correct and there is nothing more to configure

- but just in case, it would be helpful to analyze if you could post the exact S2S tunnel config (the screenshots of the basic-settings and advanced-settings pages) on RV340

 

2. I believe that the remote 3rd-Party Firewall (and IPsec Peer?) is not configured properly/correctly  to accept the s2s tunnel establishment on its wan2 interface from RV340 - after the wan1 interface of the 3rd-party-firewall-ipsec-peer is disconnected 

 

3. Have you done a capture on wan2 side of firewall-peergw?....you will see that once the wan1 interface on firewall-peer is down, the RV340 would have sent the IKE/ipsec tunnel establishment traffic to the wan2 ipaddress of the firewall-peer...but the firewall-peer is not responding to the backup tunnel negotiation recieved on wan2....why?

 

4. What is this 3rd-Party-Firewall-Ipsec-Peer?...can you post the configs/screenshots of the vpn-tunnels configured on the firewall-peer?

 

 

 

0 Helpful

aezio80
Level 1
Level 1
In response to nagrajk1969

‎09-15-2021 03:23 AM

Hi, thank you for your answer!


1. here you find the screenshot of the rv340's s2s:

[cid:00d3bc9f-8747-4a2a-bee7-d02ca083cadd]

[cid:d815a06b-12cd-4287-abea-e8322df60516]
[cid:d1c234ad-4b10-499c-815a-fafa1025d7b4]


[cid:f02d83c3-f0e6-423e-b74b-e1393f73d1b7]


1. The remote 3rd-Party Firewall is configured fine because if i replace the rv340 with a Cisco RV042 all works fine.
2. I don't see nothing on the destination firewall...seems that the packet doesn't start from the rv340...
3. The destination firewall is a PALO ALTO PA-220. But I have the same problem if I try to make a s2s from the RV340 to a RV042. In this case, to make the test I change manually the configuration s2s of RV042 replacing the wan1 with wan2.
0 Helpful

aezio80
Level 1
Level 1
In response to aezio80

‎09-15-2021 03:33 AM

Excuse me I have made a mistake on the drag and drop of screenshots, here there are the images

Preview file
18 KB
Preview file
29 KB
Preview file
63 KB
Preview file
60 KB
0 Helpful

nagrajk1969
Spotlight
Spotlight

‎09-14-2021 03:14 PM

take a look on the discussions done in the below link, maybe it will of help

 

https://community.cisco.com/t5/small-business-routers/rv345-tunnel-failover-non-functional-with-network-service/m-p/4453711#M41758

 

 

nagrajk1969
Spotlight
Spotlight

‎09-15-2021 05:00 AM - edited ‎09-15-2021 05:01 AM

Hi

 

This is my opinion as per my experience and earlier observations of similar issues with ipsec tunnels in general

 

1. I believe that the issues with the s2s tunnel between the RV340 and the PaloAlto-Firewall-IPsecPeergw [with tunnel(s) on 2 wan-interfaces?] are happening becos you are using IP-address (the default ID used in IKE tunnel negotiations), and there is a ID-mismatch happening when the backup IKE-tunnel establishment is being negotiated with the wan2-ipaddress of PeerGw 

 

a) Understanding of IDs (ipaddr/fqdn/user-fqdn) in IKE tunnel negotiations (both IKEv1 and IKEv2) will require a separate discussion 

 

 

2. So i would humbly suggest that

 

a) you should re-configure and apply the steps/settings on RV340 as in attached document "S2S_Tunnel_Config_OnRV340"

 

b) AND VERY IMPORTANT THAT YOU CONFIGURE ACCORDINGLY THE BELOW SETTINGS ON THE REMOTE-PEERGW-PA-FW

 


-------------------------
On PaloAlto-IPsec-Peer
-------------------------

1. There are 2 wan interfaces active - wan1 and wan2

2. Irrespective of whether there are 1 s2s tunnel (listening on both wan1/wan2 as a "Passive" ipsec-peer) OR 2 separate S2S-tunnels configured on wan1 and wan2 respectively (again as "Passive" ipsec peer)

Passive: becos the palo-alto-gateway does not know from which ipaddress will the RV340-gw connect/establish the ipsec tunnel. So in this case the ipsec tunnel will always be initiated by RV340(or any other peergw for that matter)


a) The below is the settings that has to be configured on the PaloAlto-Peergw - on 1 s2s tunnel or on 2 s2s tunnels

b)Note: The terminlogy/name maybe be obviously different on the PaloAlto-Fw-Peer, BUT the IPsec-tunnel settings/Principle will be standard common on all Ipsec-gateways. It will be as per RFC-standards only. So please apply the below settings accordingly to the remote-peer


---------------------------------------------------------------------------
Local ID Type: Local-FQDN (or just maybe named FQDN...select FQDN-type)
Local Identifier: maingw.testnet.local

Local IP Type: Subnet
IP Address: 192.168.137.0
Subnet Mask: 255.255.255.0

 


Remote ID Type: Remote-FQDN (or just maybe named FQDN...select FQDN-type)
Remote Identifier: site1gw.testnet.local

Remote IP Type: Subnet
IP Address: 192.168.138.0
Subnet Mask: 255.255.255.0
-------------------------------------------------------------------------

 

 

 

 

Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents