https://live.paloaltonetworks.com/t5/panorama-discussions/urgent-vpn-failover-help-needed/m-p/600727#M2509 <P>Hello Everyone,</P> <P>&nbsp;</P> <P>We have an existing policy-based site-to-site VPN between our Palo Alto and client's Meraki.</P> <P>The current VPN is to their Primary WAN IP address(Primary ISP). Now they have a secondary ISP. Both the primary and secondary ISPs are configured on the client's Meraki. I have to configure VPN failover on Palo Alto. Please help me out. I have read multiple articles but I have got more confused.&nbsp;</P> Tue, 15 Oct 2024 13:03:18 GMT msdphi 2024-10-15T13:03:18Z https://live.paloaltonetworks.com/t5/panorama-discussions/urgent-vpn-failover-help-needed/m-p/600727#M2509 <P>Hello Everyone,</P> <P>&nbsp;</P> <P>We have an existing policy-based site-to-site VPN between our Palo Alto and client's Meraki.</P> <P>The current VPN is to their Primary WAN IP address(Primary ISP). Now they have a secondary ISP. Both the primary and secondary ISPs are configured on the client's Meraki. I have to configure VPN failover on Palo Alto. Please help me out. I have read multiple articles but I have got more confused.&nbsp;</P> Tue, 15 Oct 2024 13:03:18 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/urgent-vpn-failover-help-needed/m-p/600727#M2509 msdphi 2024-10-15T13:03:18Z https://live.paloaltonetworks.com/t5/panorama-discussions/urgent-vpn-failover-help-needed/m-p/609527#M2546 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/722572629">@msdphi</a>&nbsp;</P> <P>&nbsp;</P> <P>Is Palo alto side initiator here? I am assuming it and below are the configuration steps ( high level ).</P> <P>&nbsp;</P> <P>On Palo Alto side, you need to configure two separate IPSEC tunnels towards client side ( towards <STRONG>ISP1</STRONG> and <STRONG>ISP2</STRONG> ). For both the tunnels, you will have same proxy IDs.&nbsp;</P> <P>&nbsp;</P> <P>Let’s say you have configured <STRONG>tunnel.1</STRONG> interface for the tunnel with <STRONG>ISP1</STRONG> <STRONG>IP</STRONG> and <STRONG>tunnel.2</STRONG> interface for tunnel with <STRONG>ISP2</STRONG> <STRONG>IP.</STRONG></P> <P>&nbsp;</P> <P>Now you will add two static routes for tunnel destination hosts/network pointing to <STRONG>tunnel.1</STRONG> and <STRONG>tunnel.2</STRONG> interfaces. <STRONG>Here, keep higher metric on the route pointing towards tunnel.2 interface. e.g. 10 metric for the route pointing to tunnel.1 and metric 11 for the route pointing to tunnel.2 interface</STRONG>.</P> <P>&nbsp;</P> <P>For failover, you need to use path monitoring on the static route pointing towards <STRONG>tunnel.1</STRONG> i.e. your primary ISP.</P> <P>For this, you need to assign IP address on the tunnel interface i.e. <STRONG>tunnel.1</STRONG> and take one remote end IP which is responding to ping requests. So, you can configure that IP as a destination. Firewall will ping that IP during configured internals. If primary tunnel goes down, remote end IP will stop responding to the ping requests. As soon as path monitoring is detected as <STRONG>DOWN ,&nbsp;</STRONG>the route pointing to <STRONG>tunnel.1</STRONG> interface will be removed from the forwarding routing table. So, after that automatically, request will be send towards <STRONG>tunnel.2</STRONG> interface which nothing but your backup tunnel.</P> <P>&nbsp;</P> <P>Once primary tunnel is back online and remote IP starts pinging from primary tunnel interface, route towards tunnel.1 interface will be added back and traffic will be pointed to Primary tunnel with ISP1. For static route path monitoring, refer <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/static-routes/static-route-removal-based-on-path-monitoring" target="_blank">this</A>&nbsp;.</P> <P>&nbsp;</P> <P>Client team also need to handle all the required configuration on their end so they can accept traffic from Palo Also side.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SutareMayur_0-1729506688079.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63138i0A40C48B8933799D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="SutareMayur_0-1729506688079.png" alt="SutareMayur_0-1729506688079.png" /></span></P> <P>&nbsp;</P> Mon, 21 Oct 2024 10:31:54 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/urgent-vpn-failover-help-needed/m-p/609527#M2546 SutareMayur 2024-10-21T10:31:54Z