Secure link fabric flaps on Prisma SD-WAN ION devices

Secure link fabric flaps on Prisma SD-WAN ION devices

1616
Created On 04/24/24 23:07 PM - Last Modified 03/27/25 00:09 AM


Symptom


Secure link fabric goes down frequently

ION-1200-Backup# dump vpn status VpnID=17136897045990xxxxx
VEP ID: 17136897045990xxxxx
  vpnlink_id: 17136897045990xxxxx
  vpn_underlay_address_family : ipv4(Active)
  local_ipv4: 58.34.x.x
  remote_ipv4: 120.136.x.x
  local_ipv6: N/A
  remote_ipv6: N/A
  local_shim_ipv4: 100.64.x.x
  remote_shim_ipv4: 100.64.x.x
  peer_vep_id: 17136897045990xxxxx
  peer_site_role: HUB
  admin_up: true
  devname: 1
  type: public
  status: Down
  active: true
  encap:  vxlan
  usable: true
  cipher: aes-256-cbc
  link_healthy: na
  link if_id: vpn1
Link is “Down”
Reason: BFD Failure.
Link is “Usable”.
Remote IP & Port: 120.136.x.x:4500

Environment


  • Prisma SD-WAN
  • ION devices
  • High Availability (HA)

Cause


In a HA configuration, WAN ports had same IP addresses on both the primary and secondary devices.

    Resolution


    1. In a HA configuration, the ION devices function in an active/backup mode, but the WAN interfaces will consistently remain active, necessitating their own unique IP addressing.
    2. Configure different IP addresses on the WAN interfaces of both primary and secondary devices to resolve the issue. Refer to Branch HA Topologies.

    Additional Information


    Configure the main interface for HA-Connectivity
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008XrICAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail