https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586425#M117032 <P>I recently started a new job and they have their firewalls setup with two circuit connections.&nbsp;<BR /><BR />Primary is MPLS running BGP and secondary is internet with a Site to Site VPN and static routes pointing to this tunnel.&nbsp;<BR /><BR />I'm not aware of what has been set/configured to make the traffic choose the MPLS/BGP interface vs the Site to Site interface, in my mind since the tunnel has static routes pointing to it in the VR it would have precedence. I'm mainly curious for when I need to setup a new site, how to make sure it chooses the MPLS/BGP interface connection over the Site to Site tunnel interface. Thanks in advance.&nbsp; &nbsp;&nbsp;</P> Sun, 12 May 2024 00:53:03 GMT C.Rowe724515 2024-05-12T00:53:03Z https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586425#M117032 <P>I recently started a new job and they have their firewalls setup with two circuit connections.&nbsp;<BR /><BR />Primary is MPLS running BGP and secondary is internet with a Site to Site VPN and static routes pointing to this tunnel.&nbsp;<BR /><BR />I'm not aware of what has been set/configured to make the traffic choose the MPLS/BGP interface vs the Site to Site interface, in my mind since the tunnel has static routes pointing to it in the VR it would have precedence. I'm mainly curious for when I need to setup a new site, how to make sure it chooses the MPLS/BGP interface connection over the Site to Site tunnel interface. Thanks in advance.&nbsp; &nbsp;&nbsp;</P> Sun, 12 May 2024 00:53:03 GMT https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586425#M117032 C.Rowe724515 2024-05-12T00:53:03Z https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586430#M117033 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/705384019">@C.Rowe724515</a></P> <P>&nbsp;</P> <P>thanks for posting.</P> <P>&nbsp;</P> <P>There are two things that come to my mind. Either BGP learned routes have smaller prefixes compared to what is configured with static routes or static routes are configured with higher administrative distance.</P> <P>&nbsp;</P> <P>Could you go to: Network &gt; Virtual Router &gt; [VR name] &gt; More Runtime Stats &gt; Routing &gt; Forwarding Table. Refer to destination column, then check subnet masks of routes from remote sites. If these routes have more specific subnet mask to what is configured in static routes, then BGP learned routes will take a precedence.</P> <P>Regarding administrative distance, could you go to:&nbsp;Network &gt; Virtual Router &gt; [VR name] &gt; Router Settings, then refer to Administrative Distances. If all prefixes have the same length, then a tie breaker will be the&nbsp;Administrative Distance (Lower value is preferred). In your case if BGP routes are in forwarding table, then static routes should have higher&nbsp;Administrative Distance value than BGP.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Sun, 12 May 2024 21:44:15 GMT https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586430#M117033 PavelK 2024-05-12T21:44:15Z https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586489#M117042 <P>Thank you, after checking I do see that the routes in the forwarding table are more specific than the static routes which are all /16's.&nbsp;</P> Mon, 13 May 2024 12:30:02 GMT https://live.paloaltonetworks.com/t5/general-topics/primary-mpls-bgp-and-secondary-internet-site-to-site-vpn/m-p/586489#M117042 C.Rowe724515 2024-05-13T12:30:02Z