topic ISP Failover and Global Protect (Routing Issues) in General Topics https://live.paloaltonetworks.com/t5/general-topics/isp-failover-and-global-protect-routing-issues/m-p/27399#M19973 <HTML><HEAD></HEAD><BODY><P><STRONG>Hello All,</STRONG></P><P></P><P>I have a pretty simple setup here - single PA-2020 with dual ISP's (One Virtual Router).&nbsp; We're also using Global Protect (SSL VPN only) currently.&nbsp; I seem to have an issue that I cannot sort out.</P><P></P><P>ISP failover works great through the use of PBF.&nbsp; All inbound services (policies and NAT continue to function) just fine...but here's the kicker.</P><P></P><P>Through the use of PBF routing all Internet bound traffic out my primary ISP, I should NOT (in theory) need a static route in my VR for this as PBF is checked first.&nbsp; BUT - when this static route is removed, my Global Protect users can no longer connect to the firewall.&nbsp; Adding this static route back with a LOWER metric than the route for my secondary ISP fixes the issue.&nbsp; Obviously you can see where this can cause an issue when failed over to my secondary ISP (Primary ISP's default route has a lower metric and will attempt to be used first even though the route is disconnected).</P><P></P><P>All I'm trying to do is setup something similar to a very basic IP SLA from the Cisco world.&nbsp; I find it odd that the PA device can't seem to handle this alongside VPN connectivity in the very same way a Cisco PIX or ASA can.</P><P></P><P>I would like to avoid using multiple virtual routers if possible - any help would be appreciated!&nbsp; </P></BODY></HTML> Mon, 09 Jul 2012 17:53:51 GMT computersupport 2012-07-09T17:53:51Z ISP Failover and Global Protect (Routing Issues) https://live.paloaltonetworks.com/t5/general-topics/isp-failover-and-global-protect-routing-issues/m-p/27399#M19973 <HTML><HEAD></HEAD><BODY><P><STRONG>Hello All,</STRONG></P><P></P><P>I have a pretty simple setup here - single PA-2020 with dual ISP's (One Virtual Router).&nbsp; We're also using Global Protect (SSL VPN only) currently.&nbsp; I seem to have an issue that I cannot sort out.</P><P></P><P>ISP failover works great through the use of PBF.&nbsp; All inbound services (policies and NAT continue to function) just fine...but here's the kicker.</P><P></P><P>Through the use of PBF routing all Internet bound traffic out my primary ISP, I should NOT (in theory) need a static route in my VR for this as PBF is checked first.&nbsp; BUT - when this static route is removed, my Global Protect users can no longer connect to the firewall.&nbsp; Adding this static route back with a LOWER metric than the route for my secondary ISP fixes the issue.&nbsp; Obviously you can see where this can cause an issue when failed over to my secondary ISP (Primary ISP's default route has a lower metric and will attempt to be used first even though the route is disconnected).</P><P></P><P>All I'm trying to do is setup something similar to a very basic IP SLA from the Cisco world.&nbsp; I find it odd that the PA device can't seem to handle this alongside VPN connectivity in the very same way a Cisco PIX or ASA can.</P><P></P><P>I would like to avoid using multiple virtual routers if possible - any help would be appreciated!&nbsp; </P></BODY></HTML> Mon, 09 Jul 2012 17:53:51 GMT https://live.paloaltonetworks.com/t5/general-topics/isp-failover-and-global-protect-routing-issues/m-p/27399#M19973 computersupport 2012-07-09T17:53:51Z Re: ISP Failover and Global Protect (Routing Issues) https://live.paloaltonetworks.com/t5/general-topics/isp-failover-and-global-protect-routing-issues/m-p/27400#M19974 <HTML><HEAD></HEAD><BODY><P>Check out this discussion thread: <A __default_attr="5239" __jive_macro_name="thread" class="jive_macro jive_macro_thread" href="https://live.paloaltonetworks.com/"></A></P></BODY></HTML> Fri, 17 Aug 2012 16:13:18 GMT https://live.paloaltonetworks.com/t5/general-topics/isp-failover-and-global-protect-routing-issues/m-p/27400#M19974 panagent 2012-08-17T16:13:18Z