Why does the tunnel start bouncing when LSVPN is created with no access route on the Gateway?

Why does the tunnel start bouncing when LSVPN is created with no access route on the Gateway?

1851
Created On 04/16/20 18:23 PM - Last Modified 04/20/20 23:29 PM


Question
Why does the tunnel start bouncing when LSVPN is created with no access route on the Gateway? 
 


Environment
  • GlobalProtect LSVPN 
  • Satellite. 
  • PAN-OS 8.1 and above.


Answer
LSVPN with no Access Routes configured will send a 0.0.0.0/0 default route to the Satellite to use the Tunnel created. When this happens, the Satellite will attempt to contact the Gateway through the Tunnel instead of through the WAN as the default gateway now points through the Tunnel. This causes the tunnel to fail and bounce.

The workaround is to set a static route in the Satellite to use the WAN, but this cannot be done if the WAN interface is DHCP. An Exclude route cannot be sent in the Gateway Access Routes. We have a workaround for this set up:
  1. Create a static route to the Gateway on the Satellite. This makes an Administrative Distance smaller than the default route sent by the Gateway.
  2. Create Access Routes for only the needed subnets to the Gateway. If the Gateway IP is part of theses Subnets, try to use another public Gateway IP.
  3. If 0/0 is necessary to go to the Home Network through the Tunnel, Create 31 Access Routes to Exclude 1 IP of the 0.0.0.0/0 for the Gateway (so that 1 route will route out the WAN of the Satellite)


Additional Information
Check Access route configuration Here.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPf7CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments