Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration CloudBlade
Manage, Monitor, and Troubleshoot the AWS Transit Gateway Integration
CloudBlade.
Where Can I Use This?
What Do I Need?
Strata Cloud Manager
Prisma SD-WAN license
AWS Transit Gateway CloudBlade
Enable, Pause, Disable, and Uninstall the Integration
After the Integration has been set up, operations can be done in the
CloudBlade panel. These operations have various effects on the tunnels and
configurations in Prisma SD-WAN and AWS.
Set the CloudBlade to Enabled
This is the standard, expected mode of operation for the Extension. The
CloudBlade will run every 60 seconds.If there are configuration changes, the
CloudBlade will automatically reconfigure the integration on AWS and Prisma SD-WAN. In addition, during this integration run if any
settings were previously modified manually on either Prisma SD-WAN or
AWS (e.g. VPC resource was accidentally removed in the AWS portal) these will be
reverted to the known good state automatically.
Prisma SD-WAN resources such as GRE tunnel on port 2, Port 1 circuit, Static
route, and BGP routing, if deleted or modified can be recreated by the AWS
Transit Gateway CloudBlade.
AWS resources such as VPC attachment, Connect attachment, Connect peers in
connect attachment, if deleted can be recreated by the AWS Transit Gateway
CloudBlade.
Set the CloudBlade to Paused
Pausing the CloudBlade stops all future integration runs but leaves any created
objects intact. This stops any future objects from getting created, but does NOT
prevent removal of any unconfigured / untagged objects on either Prisma SD-WAN or AWS.
Set the CloudBlade to Disabled
Disabling the CloudBlade removes / deletes all resources created in the AWS
environment and the Prisma SD-WAN environment. This can cause
communication interruptions if policy is not set to use other paths.
If we need to remove all the configurations from AWS and Prisma SD-WAN, you must disable the CloudBlade. For a clean
disable, ensure all Service and DC groups configurations for the traffic is
unconfigured and no extra VMs are created in connect vpc in AWS.
Uninstall the CloudBlade
Uninstalling the CloudBlade removes the configuration for the CloudBlade, and
immediately stops any changes by the CloudBlade. Uninstalling the CloudBlade does
not automatically remove configuration from all sites and objects. CloudBlades may
be uninstalled and reinstalled to facilitate upgrades or downgrades to different
versions without traffic interruption. To completely remove all items, set the
CloudBlade to Disabled for 5-6 Integration Run periods (360 seconds) before
uninstalling.
Troubleshoot the AWS Tansit Gateway Integration
vION does not show up under unclaimed devices
Check on AWS if the CloudFormation stack creation was successful.
Confirm if at least 2 x v7108 licenses are available for the vION HA pair
creation, for each region where you wish to deploy.
Check if there are at least 2 Elastic IPs available, for each region
where you wish to deploy.
BGP peering is down
Check if the GRE tunnel is created.
Check if the connect attachment and connect peers are configured. Ensure
the connect BGP peers is in Available state.
Check on AWS if the Prisma SD-WAN Connect VPC’s route
table has a route to the TGW CIDR.
Check if EBGP Multihop is configured for the BGP peer on the Prisma SD-WAN portal for each ION.
End to end traffic does not go through
Check if Prisma SD-WAN VPNs are up between branch site and
AWS DC site.
Check if the BGP peering between Datacenter IONs and the Transit Gateway
is up and the routes are learned and advertised from the active ION.
Check the flow browser for the branch ION from where the traffic is being
sent to the AWS VPC.
Check if the service and DC group includes the AWS Datacenter.
Check the Path policy.
Check if there is a security policy rule that is blocking traffic.
Check Application VPC’s route table and security group.
Monitor the AWS Transit Gateway CloudBlade
On the AWS Transit Gateway CloudBlade page, select
Monitor to view the AWS status and AWS site connectivity.
The Monitor tab shows if a deployment fails, or if any exceptions occur during
deployment and points to the cause of the disruption.
The AWS Status tab provides the site name, AWS Connect VPC
name, AWS region, deployment status, time of the last event occurred, and the
summary of the deployment.
The AWS Site Connectivity tab provides the site name, name of
the device, AWS region, AWS Connect VPC names, AWS transit gateway ID, GRE tunnel
status, BGP status, GRE tunnel uptime, and the BGP uptime.