topic Re: VPN failover with Dual ISP with single VR & single Firewall in General Topics

VPN failover with Dual ISP with single VR & single Firewall

RamBalaji — Thu, 15 Feb 2018 12:35:31 GMT

Hi,

Below link explains about vpn failover with dual isp and dual vr, but cant I use same VR.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774

Why its mandtory to use two VR.

with regards,

Ram

Re: VPN failover with Dual ISP with single VR & single Firewall

reaper — Thu, 15 Feb 2018 12:52:14 GMT

Hi @RamBalaji

dual VR is optimal so you have 2 default routes so each IPSEC connection has a unique route out (else yuou can only have 1 default gateway and both tunnels would go out of the same interface)

Re: VPN failover with Dual ISP with single VR & single Firewall

RamBalaji — Thu, 15 Feb 2018 13:25:34 GMT

Can you please explain in detail i couldn't understand..

with regards,

Ram

Re: VPN failover with Dual ISP with single VR & single Firewall

reaper — Thu, 15 Feb 2018 13:48:09 GMT

for you to be able to make an outbound ipsec connection ,you need to initiate a connection from you rsystem out to the internet

for your packets to reach their final destination ,a route lookup needs to occur an d a routing decission to which interface your packets should egrtess out of

If you only have 1 VR, only 1 default route can be active so both your tunnels will egress out of the same interface

If you are able to add host routes you could try to point each tunnel's destination IP out of a different interface, this could allow for a single VR setup.

If you are not able to add a host route (if your ISP assigns you a dynamic IP for example) you will need to rely on the default route. In this case, you will need an additional VR so each ISP can have it's own default route and each tunnel will only be active on the VR with the preferred ISP's default route

Re: VPN failover with Dual ISP with single VR & single Firewall

theonewhoknocks — Thu, 15 Feb 2018 14:55:55 GMT

What if I did it this way?
1 VR, First peer public IP reached via default route via ISP1. Second peer public IP reached via /32 static route pointing to ISP2.

Re: VPN failover with Dual ISP with single VR & single Firewall

reaper — Thu, 15 Feb 2018 15:08:27 GMT

That should work

Re: VPN failover with Dual ISP with single VR & single Firewall

OtakarKlier — Thu, 15 Feb 2018 15:09:48 GMT

Hello,

Yes this can work. I have set it up multiple times over the years. Then I either use a Policy Based Forwarding rule or OSPF weights to determine which path I want to use as primary and secondary, etc.

Regards,

Re: VPN failover with Dual ISP with single VR & single Firewall

m7usman — Wed, 30 Sep 2020 21:33:52 GMT

How about if i did it this way,

1 VR, First peer public IP reached via default route via isp1, Same Peer Public IP reached via PBF Pointing to ISP2 ( Condition of Source Address for Tunnel and Destination of same Peer IP )

Re: VPN failover with Dual ISP with single VR & single Firewall

jmcrae — Fri, 12 Nov 2021 02:25:50 GMT

to confirm this is not possible with single VR going to same public IP?

I have VPN 1 - going through unique public IP to branch public IP

I have VPN 2 - going through unique public IP to same branch public IP

This is the same VR. To confirm this is not possible? I tried to move to dual VR but i caused a ton of routing issues and I had to revert. Will try dual VR set up again if its the only way possible.