topic Re: Redundancy VPN between two sites with two ISP in General Topics

Redundancy VPN between two sites with two ISP

Radmin_85 — Tue, 22 May 2018 09:44:35 GMT

HELLO ALL

We have two PA devices.(850 and 500).They are located in different sites.Both firewalls have two connections to Internet via 2 different ISPs

We want to make Site to Site VPN between these sites.But make it redundant.Two VPN connections between sites through different ISPs

I can not find any manual how one can configure this schema

Please post some guide if you know

Thanks

Re: Redundancy VPN between two sites with two ISP

theonewhoknocks — Wed, 23 May 2018 06:53:13 GMT

Hi @Radmin_85

Here's a guide we used on our site-to-site VPN with two ISP. I just followed the guide step by step. Hope this helps you!

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774

Re: Redundancy VPN between two sites with two ISP

YifengLiu — Tue, 06 Jul 2021 22:57:27 GMT

Hi @theonewhoknocks
I think @Radmin_85 needs an instruction for dual ISP at "both" site, just like below topology.

I am looking for the same solution. We are using hub-spoke site-to-site VPN topology and both hub (HQ) and spoke (branch) have dual ISPs. The URL you shared seems could not be applied to dual ISP at both sites situation. Is there any other advice you could share?

Re: Redundancy VPN between two sites with two ISP

OtakarKlier — Wed, 07 Jul 2021 16:33:36 GMT

Hello,

Here is something I have done in the past and works well. This will utilize one tunnel until there is a failure then fail over.

Using @YifengLiu diagram above:
- setup the external ethernet interfaces for their respective ISP's
- Make sure your policies allow the traffic
- build first tunnel BLR-PAN eth 1/1 to AZ-PAN eth 1/1. Setup an IP address for each tunnel interface (makes troubleshooting easier)
  - Verify traffic can flow
- Setup OSPF between the two PAN's
  - Verify adjacency
  - verify route propagation
- Build the rest of the 3 VPN Tunnels:
  - BLR-PAN eth 1/2 to AZ-PAN eth 1/1
  - BLR-PAN eth 1/1 to AZ-PAN eth1/2
  - BLR-PAN eth 1/2 to AZ-PAN eth 1/2

Then use OSPF to regulate the priority of the tunnels if you are getting asymetric traffic issues.

i.e.
- BLR-PAN eth1/1 to AZ-PAN eth 1/1 normal Metric
- BLR-PAN eth 1/1 to AZ-PAN eth 1/2 metric 5000
- BLR-PAN eth 1/2 to AZ-PAN eth 1/2 metric 10000
- BLR-PAN eth 1/2 to AZ-PAN eth 1/1 metric 15000

This is highly simplified but should work if one of the ISP's goes down, OSPF will reroute automatically. You can use Policy Based Forwarding for the static routes between the VPN IP's and they can disable as required.

Hope that makes sense.

Regards,

Re: Redundancy VPN between two sites with two ISP

YifengLiu — Wed, 07 Jul 2021 20:52:11 GMT

Thank you, @OtakarKlier . I will need some time to verify your suggestion because currently I am using 2VRs with PBF by following this article, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK. Due to it's production devices, I will not be able to test it in a short time, but your advice seems work. I just need find a time to figure out the detail configuration.

Re: Redundancy VPN between two sites with two ISP

OtakarKlier — Wed, 07 Jul 2021 21:23:45 GMT

Hello,

Yeah I was never a huge fan of the 2 VR solution. The method I described only requires 1 VR.

Cheers!