topic Re: LSVPN Portal Redundancy in GlobalProtect Discussions

LSVPN Portal Redundancy

eridavis — Thu, 09 Apr 2020 15:35:56 GMT

I successfully setup LSVPN with a single portal , 2 gateways and some satellites. I realized that if my portal goes down for any reason, then the gateways are useless since the satellite needs the portal to get to the gateways. Any ideas on how best to setup a 2nd portal? Currently, my portal is on one of the gateways. I was thinking i can setup the 2nd portal on the other gateway. Can I reuse the same certificate that was generated on the first portal or do i need a new cert? The 2nd portal would have the same gateways as the 1st portal. Or is there a way to make the satellite cache the portal cert for an extended period so i don't need to create a 2nd portal?

Re: LSVPN Portal Redundancy

BPry — Wed, 08 Apr 2020 15:07:17 GMT

By default the portal configuration is cached for 24 hours. So the real question here is if you would be hosting the secondary portal on a different physical device or not, or on a different ISP. With an Active/Passive setup the reason to setup a secondary portal for redundancy sake would really be up to if you have multiple ISPs. If you don't, you won't gain a lot.

So things to think about.

1) Hardware Failure.

If you have an Active/Passive HA setup this isn't that big of an issue, your passive unit would take over.

If you don't have an HA setup do you have another piece of hardware a truly redundant set of portal and gateway could live on.

2) ISP Failure.

If you don't have a secondary ISP then this obviously isn't something you could fix. But if you do, I like to have a portal on each route, so if one ISP connection is down you can still connect to the other.

Re: LSVPN Portal Redundancy

eridavis — Wed, 08 Apr 2020 23:06:29 GMT

@BPry I have 1 site in NYC and a site in Dallas each with HA pairs(active/standby). I have 2 ISP's at each site and was planning to have the NYC site have one portal and one gateway and the Dallas site have the other portal and one gateway. So each portal would have both of the gateways configured for each satellite. The portals would use one ISP at each site. Does this make sense?

Re: LSVPN Portal Redundancy

SPCAPLP — Fri, 31 Mar 2023 13:01:45 GMT

Greetings. Although this is from 2020, I have similar situation.

Eridavis- sorry for jumping into your thread.

Looking to replace cisco ezvpn solution with LSVPN. 2 gateways each @ different DCs with its own ISP. Can I have redundant portal (different IP) portals so satellite will authenticate by any available portal (or always portal1 if there is priority). This helps incase if primary portal not available. Or One portal only and able to set the authentication timer longer..say 3years?