https://live.paloaltonetworks.com/t5/general-topics/dual-ha-ipsec-tunnels-with-2-isps/m-p/44814#M32899 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>I have 2 PaloAltos, one is running on robust and redundant Corp internet ISP, another one on a remote location with 2 public&nbsp; ADSL (and miserable quality ofc !). My goal is to have a redundant IPsec link between the two PaloAltos :</P><P></P><P><IMG alt="tmp.png" class="jive-image-thumbnail jive-image" onclick="" src="https://live.paloaltonetworks.com/legacyfs/online/3017_tmp.png" width="450" /></P><P></P><P></P><P></P><P>How would you achieve this ? I have several scenarios in mind:</P><P></P><UL><LI>PA2 builds 2 tunnels (one from each ISP) all time and routing is done with BGP (or any other routing protocol), so if a link fails, that routing protocol will timeout and route will vanish from each PA, so traffic will fail to the remaining one.</LI><LI>PA2 builds 1 tunnel at a time : a PBF will detect if ISP1 is dead and failover traffic to ISP2. This solution may not work as my lowcost ISPs don't have same public adress, so it would mean that PA2 needs to reset old tunnel before creating new one (does it even support this automatically?). What would be the timeframe of such failover also ?</LI></UL><P></P><P>thank you in advance for your suggestions, feedback and questions !</P><P></P><P>Regards,</P></BODY></HTML> Tue, 29 May 2012 13:36:30 GMT essnet 2012-05-29T13:36:30Z https://live.paloaltonetworks.com/t5/general-topics/dual-ha-ipsec-tunnels-with-2-isps/m-p/44814#M32899 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>I have 2 PaloAltos, one is running on robust and redundant Corp internet ISP, another one on a remote location with 2 public&nbsp; ADSL (and miserable quality ofc !). My goal is to have a redundant IPsec link between the two PaloAltos :</P><P></P><P><IMG alt="tmp.png" class="jive-image-thumbnail jive-image" onclick="" src="https://live.paloaltonetworks.com/legacyfs/online/3017_tmp.png" width="450" /></P><P></P><P></P><P></P><P>How would you achieve this ? I have several scenarios in mind:</P><P></P><UL><LI>PA2 builds 2 tunnels (one from each ISP) all time and routing is done with BGP (or any other routing protocol), so if a link fails, that routing protocol will timeout and route will vanish from each PA, so traffic will fail to the remaining one.</LI><LI>PA2 builds 1 tunnel at a time : a PBF will detect if ISP1 is dead and failover traffic to ISP2. This solution may not work as my lowcost ISPs don't have same public adress, so it would mean that PA2 needs to reset old tunnel before creating new one (does it even support this automatically?). What would be the timeframe of such failover also ?</LI></UL><P></P><P>thank you in advance for your suggestions, feedback and questions !</P><P></P><P>Regards,</P></BODY></HTML> Tue, 29 May 2012 13:36:30 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-ha-ipsec-tunnels-with-2-isps/m-p/44814#M32899 essnet 2012-05-29T13:36:30Z https://live.paloaltonetworks.com/t5/general-topics/dual-ha-ipsec-tunnels-with-2-isps/m-p/44815#M32900 <HTML><HEAD></HEAD><BODY><P>Hi...I believe both scenarios will work.&nbsp; The 1st scenario is using dynamic routing and one path will be selected over the other.&nbsp; This requires only dynamic routing to be enabled.</P><P></P><P>The 2nd method require some static routing and PBF.&nbsp; You can configure PBF to disable the forwarding rule should the next hop is down, and traffic will take the 2nd path.&nbsp; The failover time is configurable when you set the monitoring of the next-hop, so you can adjust this to fit your enviroment.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 30 May 2012 19:12:04 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-ha-ipsec-tunnels-with-2-isps/m-p/44815#M32900 rmonvon 2012-05-30T19:12:04Z