topic Re: Multiple ISPs with Path Monitoring in General Topics

Multiple ISPs with Path Monitoring

securehops — Thu, 29 Sep 2022 00:55:20 GMT

Hi All

Need a sanity check. When deploying multiple ISPs using path monitoring, instead of policy based forwarding, should the 2nd ISP become unreachable? It makes sense that it does, but it wasn't mentioned in Palo article about it

Setup would be

ISP1 (e1/1) 0.0.0.0/0 1.1.1.254 priority 10 (with path monitoring)

ISP2 (e1/4) 0.0.0.0/0 2.2.2.254 priority 200

VPN tunnels for both ISP1 and ISP2 using tunnel monitor

With this config:

ISP1 tunnel is up, e1/1 is pingable from outside

ISP2 tunnel is down, e1/4 is NOT pingable from outside

Re: Multiple ISPs with Path Monitoring

aleksandar.astardzhiev — Thu, 29 Sep 2022 22:13:04 GMT

Hi @securehops ,

If you don't use PBF this behaviour is expected.

Without PBF, firewall will try to establish VPN with source IP assigned on eth1/4, but it will forward the traffic over eth1/1 and ISP1, where most probably traffic will be dropped, since it is sourced from IP that doesn't belong to this ISP.

In this case, ISP2 tunnel should come up, in case of failover - path monitor fail and remove default over ISP1

and ISP1 tunnel will go down, respectively.

If you prefer to have both tunnels IP and ready, you could create a PBF so traffic sourced from eth1/4 to always go over ISP2.

Re: Multiple ISPs with Path Monitoring

securehops — Thu, 29 Sep 2022 23:01:50 GMT

Hi @aleksandar.astardzhiev

This is what I figured but wanted to be sure I was not missing something.

Interesting idea about the PBF rule for ISP 2.

Does it make more sense to do PBF instead of path monitoring? Wasn’t sure if Palo still recommends PBF

Also, I was wondering is there a best practice on what IP address to use for the PBF monitor or static route path monitoring? I see some people using the ISPs default gateway. I can see scenario where DG is reachable but an upstream issue with ISP could prevent internet access. I see others using something like 8.8.8.8 but not sure that’s the best idea either

any thoughts ?

Re: Multiple ISPs with Path Monitoring

aleksandar.astardzhiev — Fri, 30 Sep 2022 21:23:08 GMT

Hey @securehops ,

I personally always try to avoid PBF, primarily because ofter engineers forget to check it during pacy troubleshooting.

However the truet it PBF could be very helpful in some situations.

I would say:

- If you need simple failover between two ISP absolutely go for path monitor on static route

- But in addition to the failover you need faster recovery for the IPsec tunnel you will need PBF to keep the second tunnel ready to take over.

Don't forget to you either case you will need tunnel-monitor or PBF with path-monitor for the routing over the tunnel. Once primary tunnel goes down, you need to switch the route to second tunnel. You could again create PBF that will monitor the path over the tunnel and when down, to switch to second. This was the prefered way for IPsec failover way-way back. May preferable way is to use tunnel-monitor, so firewall will "disable" the static route pointing to tunnel1 and falback to route pointing to second tunnel.

Regarding the monitored host...I am not the best person to define best practises. I have had few cases where path-monitor was required and in all cases we used 8.8.8.8 and it was fine.

Re: Multiple ISPs with Path Monitoring

murali438 — Wed, 02 Nov 2022 08:32:52 GMT

Hello

Is there a way to enable preemption? Meaning if my primary ISP is back can I switch back to the primary tunnel automaically?

Thank You