topic Question about redundent paths with IPSEC Tunnels. in General Topics https://live.paloaltonetworks.com/t5/general-topics/question-about-redundent-paths-with-ipsec-tunnels/m-p/189131#M57297 <P>I have a HA-pair of 3050s in my corp office with an single existing IPSEC tunnel to a remote office on a 200.</P><P>&nbsp;</P><P>The remote office has very poor reliability on it's existing connection and the local ISP has provided them with a backup satcom link they can use when the prime connection goes down.</P><P>&nbsp;</P><P>the HA-pair sits behind a Single IP that's managed via BGP on a HA-pair of routers with redundent internet links. The main IP will float between the routers using HSRP.</P><P>&nbsp;</P><P>If it was only a matter of flipping a route on the remote 200, it wouldn't be an issue, but how do I get the tunnel to migrate from one local IP to another?</P><P>&nbsp;</P><P>Thanks.</P> Wed, 29 Nov 2017 16:02:47 GMT cengasser 2017-11-29T16:02:47Z Question about redundent paths with IPSEC Tunnels. https://live.paloaltonetworks.com/t5/general-topics/question-about-redundent-paths-with-ipsec-tunnels/m-p/189131#M57297 <P>I have a HA-pair of 3050s in my corp office with an single existing IPSEC tunnel to a remote office on a 200.</P><P>&nbsp;</P><P>The remote office has very poor reliability on it's existing connection and the local ISP has provided them with a backup satcom link they can use when the prime connection goes down.</P><P>&nbsp;</P><P>the HA-pair sits behind a Single IP that's managed via BGP on a HA-pair of routers with redundent internet links. The main IP will float between the routers using HSRP.</P><P>&nbsp;</P><P>If it was only a matter of flipping a route on the remote 200, it wouldn't be an issue, but how do I get the tunnel to migrate from one local IP to another?</P><P>&nbsp;</P><P>Thanks.</P> Wed, 29 Nov 2017 16:02:47 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-redundent-paths-with-ipsec-tunnels/m-p/189131#M57297 cengasser 2017-11-29T16:02:47Z Re: Question about redundent paths with IPSEC Tunnels. https://live.paloaltonetworks.com/t5/general-topics/question-about-redundent-paths-with-ipsec-tunnels/m-p/189611#M57384 <P>For this type of setup, I would remove the static route on the VPN tunnel.&nbsp; And setup OSPF on the tunnel interfaces between the remote site and the cluster.</P><P>&nbsp;</P><P>You can then have two VPN active at all times and use OSPF cost on the back link to make sure it is less preferred.</P><P>&nbsp;</P><P>If you are not running OSPF currently on the HA PA, you can import these remote side routes into your BGP setup.</P><P>&nbsp;</P><P>On the remote side set the LAN interfaces there to passive OSPF so that their subnets get advertised up both tunnel neighbors.&nbsp;</P><P>&nbsp;</P> Sun, 03 Dec 2017 13:11:09 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-redundent-paths-with-ipsec-tunnels/m-p/189611#M57384 pulukas 2017-12-03T13:11:09Z