https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231723#M66530 <P>there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:</P> <P>&nbsp;</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="13842_Routes for VPNs.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16715iB0FEAA35C0C5FCF8/image-size/large?v=v2&amp;px=999" role="button" title="13842_Routes for VPNs.PNG" alt="13842_Routes for VPNs.PNG" /></span></P> Fri, 21 Sep 2018 11:16:44 GMT reaper 2018-09-21T11:16:44Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231557#M66484 <P>I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center.&nbsp; The data center side has only 1 ISP connection</P><P>&nbsp;</P><P>I'm reviewing this article again, as I've used it in the past.</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774</A></P><P>&nbsp;</P><P>It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route.&nbsp;</P><P>&nbsp;</P><P>Let's examine</P><P>&nbsp;</P><P>Interface configuration:</P><P>Configure two interfaces:</P><P>Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone</P><P>Eth 1/4: 10.80.40.38/24&nbsp; (connection to ISP2) in the untrust zone</P><P>&nbsp;</P><P>Virtual routers:</P><P>There are two virtual routers:</P><P>VR1: Primary (ISP1) (Ethernet1/3)</P><P>VR2: Secondary (ISP2) (Ethernet1/4)</P><P>&nbsp;</P><P>&nbsp;</P><P>On Primary VR1, they have a default route pointing to the gateway of ISP1&nbsp; 0.0.0.0/0 10.185.140.1.&nbsp; Then, on Secondary VR2, they do not add a default route.&nbsp; I also saw a post in the comments that you need a static default route configured on both VR1 and VR2</P><P>&nbsp;</P><P>I believe both are incorrect, unless I'm missing something. &nbsp;If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.</P><P>&nbsp;</P><P>I'm thinking they meant to create the default route to the next hope for ISP2.&nbsp; If correct, wouldn't that be on VR2?</P><P>&nbsp;</P> Thu, 20 Sep 2018 01:04:00 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231557#M66484 MikeC 2018-09-20T01:04:00Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231598#M66501 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46057">@MikeC</a>,<BR /><BR />We're running this setup on one of our sites.<BR />Both VR has default routes pointing to each individual ISP GW.</P><P>VR1 has my internal LAN segments and ISP1 interface. VR2 has only ISP2 interface. VR1 has a backup default-route pointing to next VR (VR2)</P><P>&nbsp;</P> Thu, 20 Sep 2018 10:11:00 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231598#M66501 theonewhoknocks 2018-09-20T10:11:00Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231627#M66510 <P>Hello,</P><P>This can be accomplished with 1 VR and a PBF rule or dynamic routing (with weighted routes). Since both tunnels are up but you will only be using one at a time (assumption).&nbsp; A 1 VR solution works well.</P><P>&nbsp;</P><P>Regards,</P> Thu, 20 Sep 2018 14:41:46 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231627#M66510 OtakarKlier 2018-09-20T14:41:46Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231723#M66530 <P>there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:</P> <P>&nbsp;</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="13842_Routes for VPNs.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16715iB0FEAA35C0C5FCF8/image-size/large?v=v2&amp;px=999" role="button" title="13842_Routes for VPNs.PNG" alt="13842_Routes for VPNs.PNG" /></span></P> Fri, 21 Sep 2018 11:16:44 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-with-vpn/m-p/231723#M66530 reaper 2018-09-21T11:16:44Z