Create a VPN Cluster
Create a VPN cluster to group branches and hubs that communicate with each other into a logical group.
In your SD-WAN configuration, you must configure one or more VPN clusters to determine which branches communicate with which hubs and creates a secure connection between the branch and hub devices. VPN clusters are logical groupings of devices, so consider things such as geographical location or function when logically grouping your devices.
®10.0.2 and earlier releases support only the Hub-Spoke SD-WAN VPN topology. In a Hub-Spoke topology, a centralized firewall hub at a primary office or location acts as the gateway between branch devices. The hub-to-branch connection is a VPN tunnel. In this configuration, traffic between branches must pass through the hub.
The first time you Configure a Virtual SD-WAN Interface with direct internet access (DIA) links for an SD-WAN hub or branch firewall, a VPN cluster called
autogen_hubs_clusteris automatically created and the SD-WAN firewall is automatically added to the VPN cluster. This allows the Panorama™ management server to Monitor SD-WAN Application and Link Performance for devices that are protected by the SD-WAN firewall and accessing resources outside of your corporate network. Additionally, any SD-WAN firewall with DIA links that you configure in the future are automatically added to the
autogen_hubs_clusterVPN cluster containing all hubs and branches with DIA links to allow Panorama to monitor application and link performance. The
autogen_hubs_clusteris purely for monitoring application and link health, and not to create VPN tunnels between the hubs and branches with DIA links. If you need to connect hubs and branches with VPN tunnels, you must create a new VPN cluster and add all the required hubs and branches to that cluster.
A strong, random IKE preshared key is created for all hubs and branches in the VPN cluster to secure the VPN tunnels, and each firewall has a master key that encrypts the preshared key. The system secures the preshared key, even from the administrator. You can refresh the IKE preshared key, which Panorama sends to all members of the cluster.
Refresh the preshared key when cluster members are not busy.
- Plan your branch and hub VPN topology to determine which branches communicate with each of your hubs. For more information, see Plan Your SD-WAN Configuration.
- Specify IP address ranges for the IPSec VPN tunnels that Auto VPN configuration creates.Auto VPN configuration creates a VPN tunnel between a hub and branches and assigns IP addresses to the tunnel endpoints. Enter subnet ranges that you want Auto VPN to use as VPN tunnel addresses.You can enter up to 20 IP prefix/netmask ranges. Auto VPN draws from that pool for VPN tunnel addresses, drawing from the largest range first (and the drawing from the next largest range when necessary). You must configure at least one range for the pool. If you don’t perform this step before pushing the configuration to a hub or branch, the Commit and Push will fail.If you upgrade from an earlier SD-WAN Plugin release, you must check that your ranges are still correct. If it is not, enter new ranges. After youCommit, all tunnels are dropped and new tunnels are used, so perform this task during a time you have low traffic.
- Select.PanoramaSD-WANVPN Clusters
- At the bottom of the screen, selectVPN Address Pool.
- Addone or more (up to 20)MemberIP address and netmask ranges, for example, 192.168.0.0/16.
- Configure the VPN cluster. Repeat this step to create VPN clusters as needed.
- SelectandPanoramaSD-WANVPN ClustersAdda VPN cluster.
- Enter a descriptive name for the VPN cluster.Underscores and spaces are not supported in the VPN cluster name and result in monitoring () data for the cluster not to be displayed. Choose the name of the VPN cluster carefully so you do not need to change the name in the future. SD-WAN monitoring data is generated based on the old cluster name and cannot be reconciled to a new cluster name, and will cause issues with the number of reported clusters when monitoring your VPN clusters or generating reports.PanoramaSD-WANMonitoring
- Select the VPN clusterType.
- Addone or more branch devices that you determined need to communicate with each other.
- SelectGroup HA Peersto display the branch devices that are HA peers together.
- Select the branch devices to add to the cluster.
- Addone or more hub devices that you determined need to communicate with the branch devices.Up to four SD-WAN hub firewalls can be added to a VPN cluster. SD-WAN hubs in an HA configuration are considered as a single SD-WAN hub firewall.MPLS and satellite link types will form tunnels with only the same link type; for example, MPLS-to-MPLS and satellite-to-satellite. Tunnels will not be created between an MPLS link and an Ethernet link, for example.
- SelectGroup HA Peersto display the hub devices that are HA peers together.
- Select the hubs to add to the cluster and clickOK.
- For any new or previously existing VPN cluster that has more than one hub, you must prioritize the hubs to determine a) that traffic be sent to a particular hub, and b) the subsequent hub failover order. The hub failover priority range is 1 to 4. If you upgrade, the default priority is set to 4. The plugin internally translates the hub failover priority to a BGP local preference number as shown in the following table. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster.Hub Failover PriorityLocal Preference1250220031504100If multiple hubs have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router () andNetworkVirtual RoutersECMPECMP Multiple AS Supportis enabled for BGP ().If all hubs in the cluster have a unique priority, ECMP is disabled on the branches. If a hub priority configuration changes, Panorama reevaluates whether to enable or disable ECMP.NetworkVirtual RoutersBGPAdvanced
- If you selectedGroup HA Peers, select the pair and click in theHub Failover Priorityfield; enter a singlePriority(range is 1 to 4), which applies to both hubs in the HA pair, and clickOK.The Hub Failover Priority for HA Peers window appears only for configured HA pairs. If you add a new HA pair, you must configure the Hub Failover Priority for each of the two new peers independently.You will get an error message if you assign different priorities to hubs that are ungrouped HA peers and then you selectGroup HA PeersandSubmit.
- For hubs that are not HA pairs, select a hub and click in theHub Failover Priorityfield; enter a priority (range is 1 to 4).
- ClickOKto save the VPN cluster.
- Advertise additional prefixes at the branch to the hub.The firewall automatically redistributes (advertises) all non-public, connected routes from the branch to the hub. You can also redistribute any additional prefixes from the branch to the hub. ThePrefix(es) to Redistributefield accepts a list of prefixes, rather than just a single prefix.
- Selectand select a branch firewall.PanoramaSD-WANDevices
- SelectBGPandAddone or more IP addresses with netmask toPrefix(es) to Redistribute.
- CommitandCommit to Panorama.
- (SD-WAN Plugin 2.0.1 and later 2.0 releases) If your hub firewalls in a hub-spoke VPN cluster have DHCP or PPPoE interfaces, you must use DDNS. Selectand in theNetworkInterfacesEthernetTemplatefield, select Template-stack for a hub.
- (SD-WAN Plugin 2.0.1 and later 2.0 releases) Select the interfaces whose IP address indicatesDynamic-DHCP ClientorPPPOE, clickOverrideon the bottom of the screen, and clickOKto close.
- (SD-WAN Plugin 2.0.1 and later 2.0 releases) Verify on Panorama that the DDNS settings were configured.
- Selectand select the same interface again.NetworkInterfacesEthernet
- See that the DDNS settings were automatically configured with aHostnameand theVendorset toPalo Alto Networks DDNS.
- (SD-WAN Plugin 2.0.1 and later 2.0 releases)CommitandCommit to Panorama.
- Push the configuration to the hub(s).When Panorama creates virtual SD-WAN interfaces for hubs, Panorama doesn't necessarily create the interfaces using contiguous interface numbers. It might randomly skip an interface number, for example, sdwan.921, sdwan.922, sdwan.924, sdwan.925. Despite the discontiguous numbering, Panorama creates the correct number of SD-WAN interfaces. Use the operational CLI commandshow interface sdwan?to see the SD-WAN interfaces.
- SelectCommitandPush to Devices.
- Edit Selectionson the lower left side of the screen.
- DeselectFilter Selected.
- Click onDeselect All.
- Select your hub Device Group. SelectInclude Device and Network Templatesat the bottom of the screen. You must push to hubs before pushing to branches.Most branches have dynamic IP addresses through their service providers, so branches must initiate the IKE/IPSec connection because the hub doesn’t have the branches’ IP address.To ensure that the hub is ready to receive the IKE/IPSec connections, the hub’s configuration must be committed and pushed before the branch’s configuration. Thus, when the branch configurations are pushed and the branches initiate the connection to the hub, the hub is ready.
- Select theTemplatestab andDeselect All.
- ThePush Scopeis the Device Group.Pushthe configuration to the hub(s).
- Push the configuration to the branch(es) by repeating the prior step, but selecting your branch Device Group.
- Refresh the IKE preshared key.If you need to change the current IKE key that is used to secure the IPSec connections between VPN cluster devices, perform this step to randomly generate a new key for the cluster.Perform this step when cluster members are not busy.
- Selectand select a cluster.PanoramaSD-WANVPN Clusters
- At the bottom of the screen, selectRefresh IKE Key.
- A message appears notifying you thatRefreshing the IKE key will generate a new security association (SA) for every SD-WAN firewall in the VPN cluster. This may cause a service disruption. Do you wish to continue? Yes | NoSelectYesif you wish to continue.
- Commit.After youRefresh IKE Key, you must commit to the entire cluster; a partial commit will bring down tunnels.
- Push to Devices.
Recommended For You
Recommended videos not found.