Integrate Prisma Access with Silver Peak SD-WAN
Focus
Focus
Prisma Access

Integrate Prisma Access with Silver Peak SD-WAN

Table of Contents

Integrate Prisma Access with Silver Peak SD-WAN

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Silver Peak supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
Use Case
Architecture
Supported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Use an IPSec tunnel from each branch to Prisma Access. Use a Silver Peak EdgeConnect device at the branch.
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
Yes
Securing branch and HQ sites with active/active SD-WAN connections
Yes
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Yes

Cloud Management

Use this workflow to configure Silver Peak EdgeConnect with Prisma Access.
Silver Peak recommends that you configure two tunnels in an active-backup configuration between Silver Peak EdgeConnect and Prisma Access, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active/active configuration because of the overlapping subnets.
Before you start this workflow, determine your remote tunnel capacity. Silver Peak bases the tunnel capacity on licensing and the capacity of the device model. For example, the base Silver Peak license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. Prisma Access bases a location’s bandwidth on the bandwidth you specify for its compute location.
    • Choose a
      Prisma Access Location
      that is close to the remote network location that you want to onboard.
    • When creating the IPSec tunnel, use a
      Branch Device Type
      of
      SilverPeak
      .
  1. Select
    IPSec Advanced Options
    and select an IPSec Crypto profile of
    SilverPeak-IPSec-Crypto-Default
    .
  2. Select
    IKE Advanced Options
    and select an IKEv1 crypto profile of
    SilverPeak-IKE-Crypto-Default
    .
  3. Set up routing for the remote network.
    Set Up
    Routing and
    Add
    the IP subnets for Static Routing.
  4. Push your configuration changes.
    1. Return to
      Manage
      Service Setup
      Remote Networks
      and select
      Push Config
      Push
      .
    2. Select
      Remote Networks
      .
    3. Push
      your changes.
  5. Make a note of the
    Service IP
    address of the Prisma Access side of the tunnel. To find this address in
    Prisma Access (Cloud Management)
    , select
    Manage
    Service Setup
    Remote Networks
    , click the
    Remote Networks
    , and look for the
    Service IP
    field corresponding to the remote network configuration you created.
  6. From the Silver Peak orchestrator, create a tunnel configuration.
    1. Select
      Configuration
      .
    2. Select
      Tunnels
      Passthrough
    3. Select
      Add Tunnel
      .
    4. Select a
      Name
      ,
      Local IP
      ,
      Remote IP
      , and
      Mode
      .
    5. In the
      Advanced Options
      area, enter the IKE and IPSec parameters.
      The parameters must be the same as the parameters that you specified on Prisma Access. Silver Peak recommends the following IKE and IPSec encryption settings:
      • IKE encryption settings:
        • Encryption
          —AES-256-CBC
        • Authentication
          —SHA512
        • IKE Lifetime
          —8 hours
        • Dead Peer Detection
          Delay time:
          300 seconds
          Retry:
          3
        • IKE Identifier
          —IP address (leave blank - public IP is auto-detected)
        • DH
          —Group 14
        • Mode
          —Aggressive
      • IPSec encryption settings:
        • Encryption
          —AES-25-CBC
        • Authentication
          —SHA512
        • Lifetime
          —60 minutes
        • PFS
          —DH - Group 14
  7. Create two tunnels to Prisma Access: one Active and the other Backup.
    The following example creates two tunnels named
    GlobalProtect-1
    and
    GlobalProtect-2
    .
    Specify the Prisma Access
    Service IP
    address in the
    Remote IP
    field.
    Select the
    Local IP
    address from the list of WAN interface IP addresses.
  8. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting
    Business Intent Overlay
    and configuring the
    Peer/Service
    in the
    Policies
    area.
  9. Order the
    GlobalProtect-1
    GlobalProtect-2
    service to the
    Preferred Policy Order
    field in the internet Traffic area.
    Defining the order in the
    Preferred Policy Order
    configures the GlobalProtect-1 tunnel to automatically failover to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to GPCS are down, Silver Peak uses any other defined path such as local breakout or backhaul using the Overlay.

Support for Two Active-Active Connections

Two connections from a branch as active-active on Prisma Access are implemented as two separate remote network connections. Onboard the connections in two separate locations using one of the following methods:
  • Configure two separate remote networks in two different compute locations and specify subnets that overlap (overlapping subnets) for each remote network.
  • Onboard both remote networks to the same compute location, making sure that the bandwidth for that compute location is sufficient to support two tunnels.
    The Silver Peak SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
  1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name
    GlobalProtect
    for the tunnels PrismaAccess-1 and PrismaAccess-2, traffic will load balance between the two tunnels.
    The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.
    The following figure shows Prisma Access in two locations in the
    Remote IP
    area and the peer service configured as
    GlobalProtect
    in the
    Peer/Service
    area.
    The following figure shows
    Send to GlobalProtect
    configured in the
    Preferred Policy Order
    field.

Troubleshoot the Silver Peak Remote Network

Prisma Access provides logs and widgets that provide you with the status of remote tunnels and the status of each tunnel.
  • Go to
    Manage
    Service Setup
    Remote Networks
    and check the
    Status
    of the tunnel.
  • Go to
    Activity
    Log Viewer
    and check the
    Common/System
    logs for IPSec- and IKE-related messages.
    To view VPN-relates messages, set the filter to
    sub_type.value = vpn
    .
    The message
    ignoring unauthenticated notify payload
    indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
  • Check the
    Firewall/Traffic
    logs and view the messages that are coming from the zone that has the same name as the remote network.
    In the logs, the remote network name is used as the source zone.

Panorama

Use this workflow to configure Silver Peak EdgeConnect with Prisma Access.
Silver Peak recommends that you configure two tunnels in an active-backup configuration between Silver Peak EdgeConnect and Prisma Access, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active-active configuration because of the overlapping subnets.
Before you start this workflow, complete the following tasks:
  • Configure a remote network tunnel in Prisma Access for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. You also need the Service IP address of the Prisma Access side of the tunnel to complete this configuration. To find this address in Panorama, select
    Panorama
    Cloud Services
    Status
    Network Details
    , click the
    Remote Networks
    radio button, and find the address in the
    Service IP Address
    field.
  • Determine your remote tunnel capacity. Silver Peak bases the tunnel capacity on licensing and the capacity of the device model. For example, the base Silver Peak license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. Prisma Access bases its tunnel capacity on what you specify when you create the remote network and the amount of bandwidth in the Prisma Access license.
  1. From the Silver Peak orchestrator, create a tunnel configuration.
    1. Select
      Configuration
      .
    2. Select
      Tunnels
      Passthrough
    3. Select
      Add Tunnel
      .
    4. Select a
      Name
      ,
      Local IP
      ,
      Remote IP
      , and
      Mode
      .
    5. In the
      Advanced Options
      area, enter the IKE and IPSec parameters.
      The parameters must be the same as the parameters that you specified on Prisma Access. Silver Peak recommends the following IKE and IPSec encryption settings:
      • IKE encryption settings:
        • Encryption
          —AES-256-CBC
        • Authentication
          —SHA512
        • IKE Lifetime
          —8 hours
        • Dead Peer Detection
          Delay time:
          300 seconds
          Retry:
          3
        • IKE Identifier
          —IP address (leave blank - public IP is autodetected)
        • DH
          —Group 14
        • Mode
          —Aggressive
      • IPSec encryption settings:
        • Encryption
          —AES-25-CBC
        • Authentication
          —SHA512
        • Lifetime
          —60 minutes
        • PFS
          —DH - Group 14
  2. Create two tunnels to Prisma Access: one Active and the other Backup.
    The following example creates two tunnels named
    GlobalProtect-1
    and
    GlobalProtect-2
    .
    Specify the Prisma Access
    Service IP Address
    in the
    Remote IP
    field.
    Select the
    Local IP
    address from the list of WAN interface IP addresses.
  3. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting
    Business Intent Overlay
    and configuring the
    Peer/Service
    in the
    Policies
    area.
  4. Order the
    GlobalProtect-1
    GlobalProtect-2
    service to the
    Preferred Policy Order
    field in the internet Traffic area.
    Defining the order in the
    Preferred Policy Order
    configures the GlobalProtect-1 tunnel to automatically failover to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to Prisma Access are down, Silver Peak uses any other defined path such as local breakout or backhaul using the Overlay.

Support for Two Active-Active Connections

Two connections from a branch as active-active on Prisma Access are implemented as two separate remote network connections. Onboard the connections in two separate regions using one of the following methods:
  • Specify
    Overlapped Subnets
    when you configure the remote network tunnel in Prisma Accessthe two remote networks in two separate regions. See Remote Network Locations with Overlapping Subnets for more information.
  • Onboard both remote networks to the same region, but specify the bandwidth for one of the connections to the maximum bandwidth that is licensed and supported for Prisma Access. Select
    Panorama
    Licenses
    Prisma Access for Remote Networks
    to see the maximum bandwidth.
    The Silver Peak SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
  1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name
    GlobalProtect
    for the tunnels GPCS1 and GPCS2, traffic will load balance between the two tunnels.
    The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.
    The following figure shows Prisma Access in two regions in the
    Remote IP
    area and the peer service configured as
    GlobalProtect
    in the
    Peer/Service
    area.
    The following figure shows
    Send to GlobalProtect
    configured in the
    Preferred Policy Order
    field.

Troubleshoot the Silver Peak Remote Network

Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select
Monitor
Logs
System
.
To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.

Recommended For You