yanzhiqiang
Contributor
Contributor
‎12-20-2021 11:39 AM

how to setup standby VPN tunnel from NSX-T 3.1

A few of our customers have two VPN sites or have two Internets to their VPN firewall in their office. They always ask to have secondary VPN tunnel as standby when the primary Internet connection fail. I can't find anything can make this work on NSX-T 3.1.3. Does anyone know how to make it?

 

When I am setting policy based VPN, NSX-T doesn't allow me to setup two tunnels that have same local/remote subnets, Then I think it is not possible for policy based. Then I try route based. I setup two tunnels, one for each Internet connection, they both are up. I setup static route on my T1 gateway to have two next-hop with different admin distance. but it doesn't work as I expected, When I shutdown the Internet on my primary remote site, it doesn't look like the traffic move to the standby tunnel, as I don't see traffic sending out on it. Where could I make wrong? I can't find any information about this kind of the request in the documents.

 

 

Reply
0 Kudos
chrisgnoon
Enthusiast
Enthusiast
‎12-20-2021 10:52 PM

Have you tried setting up two (2) route-based VPNs, using different peer addresses, then using BGP to share routes via the VPN?  

If the routes learned are the same, it should populate the RIB in NSX with multiple entries.  Not sure if ECMP or active/standby FIB entries will be used, but it should allow for at least a failover path to be used.

Chris Noon | CCDP | CCNP | VCDX 289
Don't forget to mark as solved if your questions are answered.
Reply
0 Kudos
yanzhiqiang
Contributor
Contributor
‎12-21-2021 05:56 AM

Hi Chris, Thanks for replying, I will give it a try.

Reply
0 Kudos