topic Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office? in General Topics

site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

uvdes — Fri, 30 Dec 2016 16:10:30 GMT

Hi there!

We have had a site-to-site VPN setup between our home office and branch office for about six months. We have a pair of PA-500 at the branch, and a pair of PA-3020 at the home office. The home office has two ISPs setup in a dual-vr failover configuration, and the branch has just a single ISP. I tried to setup a second IPSec site-to-site VPN from the backup ISP at the home office so if the primary ISP at the home office fails we could keep the link up, but Phase I doesn't even try to come up on either side(no system error messages or anything). I pretty much followed these instructions, modifying for only having one ISP at the branch office.

My only current working theory of what is causing the second site-to-site not come up is I'm trying to terminate two tunnels on the same IP at the branch office, but that doesn't hold much water. Any quick hints, or should I go to TAC with this one?

Thanks!

Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

TranceforLife — Fri, 30 Dec 2016 16:39:20 GMT

Hi,

Did you try commands:

> test vpn ike-sa gateway <name>

> test vpn ipsec-sa tunnel <tunnel.name>

To see if that will trigger VPN to come up.

Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

uvdes — Fri, 30 Dec 2016 19:58:21 GMT

I hadn't, I just did, and up they popped!

I'm curious why those commands were needed to force it up?

Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

BPry — Fri, 30 Dec 2016 20:08:03 GMT

Are you sure it was actively trying to come up? If this is a redundancy thing and none of your traffic was actively trying to go that route then the PA wouldn't bring the tunnel up because no traffic was destined for that route. The tunnel needs traffic to activate, if you want it to come up without traffic the 'test' command is the best way to force it.

Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

TranceforLife — Fri, 30 Dec 2016 20:39:36 GMT

+1 to @BPry. Test vpn command actually forcing/simulating traffic through the tunnel. Not sure about P1 but l guess it is the same as for P2 (interesting traffic). What l meant is that P1 would not come up by itself, need some traffic to trigger it.

Re: site-to-site VPN redundancy with one ISP at the branch office and two ISPs at the home office?

uvdes — Fri, 30 Dec 2016 20:35:25 GMT

Thanks. That makes sense to me that it wouldn't try to come up if there wasn't traffic to cause it to come up (which there wasn't).