topic Re: DUAL ISP Failover Single VR in General Topics

DUAL ISP Failover Single VR

mali77 — Mon, 13 Mar 2017 17:50:59 GMT

I have a situation below and I need to be able to configure failover, seeking some guidance.

Basically I have

SG3 (two ISP's in the same VR)

ISP1 (eth1/7)

--------------> WAN-VR2

ISP2 (eth1/8)

Then I have a whole bunch of other sub interfaces on the LAN side:

TRUST-VR - VSYS3

trust1 eth1/24.1

trust2 eth1/24.2

trust3 eth1/24.3

I found this link:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load-Balancing/ta-p/58361

So in my situation I have a default route going out the Primary ISP right now. I'm guessing here is what I will need to do:

1- Create a PBF to send all traffic out the Primary ISP

2- Delete the default route going out the Primary ISP and replace it with the Second ISP's default route

3- Pretty much do the same for all the tunnels?

thank you

Re: DUAL ISP Failover Single VR

ansharma — Thu, 16 Mar 2017 00:13:05 GMT

Hi mali77,

Thanks for posting in the community forums!

You are almost right.

Yes, you will replace the default route with Secondary ISP's next hop.

Yes, you will create a PBF to forward the traffic to the primary ISP.

Couple of things you can add to the PBF:

1) Monitor profile with the action of 'Fail-Over' - so it fails to the VR in case the monitor IP is unreachable. Choose something simple as 8.8.8.8 as the IP address in Monitor.

2) Check the box for 'Disable this rule if next hop/IP address is unreachable'. This will prevent the firewall from keep checking the PBF for every packet (save those precious CPU cycles!).

And, all of this might not work if you don't have outbound NAT configured correctly!

Make sure to add 2 Outbout NAT rules, one for ISP1 and another for ISP2. You MUST use the destination interface as a condition too, else it will just stop at the first match.

Hope this helps 🙂

Regards,

Anurag

Re: DUAL ISP Failover Single VR

RMANJHelpdesk — Thu, 13 Jul 2017 11:46:56 GMT

Did you ever get this to work with a single VR? I could get the ISP failover to work, but never the VPN tunnels.

Thanks!

Re: DUAL ISP Failover Single VR

reaper — Thu, 13 Jul 2017 12:41:15 GMT

VPN tunnels cannot be controled by PBF policy as system-sourced services bypass pbf and use only the routing table

you could try adding single host static routes with a lower metric than the default gateway or ECMP in PAN-OS 8.0

Re: DUAL ISP Failover Single VR

OtakarKlier — Thu, 13 Jul 2017 20:40:48 GMT

Hello.

I have implemented the following muiltiple times and works well.

Like you mentioned create a PBF that sends all traffic out the primary ISP and make sure you have a Monitor Enabled with the "Disable this rule...''. I usually use the Next Hop as something like the ISP's gateway router.

Have a static route that points all traffic out the secondary ISP.

Since PBF takes place prior to static routing, everything will go down the primary ISP via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the secondary ISP.

Once the primary ISP is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the primary ISP path.

Hope that makes sense.

Cheers!

Re: DUAL ISP Failover Single VR

pmc — Thu, 13 Jul 2017 20:46:00 GMT

All good but I wouldn't recommend using 8.8.8.8 as the monitor IP.

Use your ISP's gateway or at least something on their network rather than relying on Google's Anycast DNS.

Re: DUAL ISP Failover Single VR

OtakarKlier — Fri, 14 Jul 2017 17:14:40 GMT

For more details, I jsut happened to stumble across a more detailed how to.

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/80/pan-os/pan-os/section_16.pdf

Starts on Page 1030 under Policy-Based Forwarding.