https://live.paloaltonetworks.com/t5/general-topics/pbr-on-5-0-with-redundant-internet-connections-questions/m-p/10434#M7692 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>New to Palo Alto.&nbsp; I think PBR is working right.&nbsp; But functionality is not what I wanted to happen.</P><P></P><P>I have Cisco DMVPN from all my remote sites to my corporate site.&nbsp; This tunnel is created inside of the firewall.</P><P></P><P>my desired affect is to have 2 ISPs.&nbsp; When the primary fails it dynamically fails over to the secondary internet.&nbsp; Then when the primary comes recovers from the outage dynamically fail back to the primary ISP.&nbsp; So VPN and web browsing would not be impacted.</P><P></P><P>Currently I have PBR set up so the default route is to the secondary ISP.&nbsp; I have a PBR pointing at the primary watching an IP on the internet.&nbsp; The NAT is set up accordingly.</P><P></P><P>What I am seeing.</P><P></P><P>When the Primary ISP fails.&nbsp; It dynamically switches to the secondary internet.&nbsp; What the 5 minutes for the DPDs.&nbsp; Then all services are up and functional on the secondary link.</P><P></P><P>When the Primary ISP recovers they new sessions ride the primary ISP path.&nbsp; Because the VPN is up it does not build a new session on the primary path.&nbsp; I have to manually delete the session that the VPN tunnel has on the secondary interface.&nbsp; Then the tunnel is on the primary interface.</P><P></P><P>Not what I want to happen.</P><P></P><P>Any feedback.</P></BODY></HTML> Wed, 06 Feb 2013 17:21:02 GMT JColby 2013-02-06T17:21:02Z https://live.paloaltonetworks.com/t5/general-topics/pbr-on-5-0-with-redundant-internet-connections-questions/m-p/10434#M7692 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>New to Palo Alto.&nbsp; I think PBR is working right.&nbsp; But functionality is not what I wanted to happen.</P><P></P><P>I have Cisco DMVPN from all my remote sites to my corporate site.&nbsp; This tunnel is created inside of the firewall.</P><P></P><P>my desired affect is to have 2 ISPs.&nbsp; When the primary fails it dynamically fails over to the secondary internet.&nbsp; Then when the primary comes recovers from the outage dynamically fail back to the primary ISP.&nbsp; So VPN and web browsing would not be impacted.</P><P></P><P>Currently I have PBR set up so the default route is to the secondary ISP.&nbsp; I have a PBR pointing at the primary watching an IP on the internet.&nbsp; The NAT is set up accordingly.</P><P></P><P>What I am seeing.</P><P></P><P>When the Primary ISP fails.&nbsp; It dynamically switches to the secondary internet.&nbsp; What the 5 minutes for the DPDs.&nbsp; Then all services are up and functional on the secondary link.</P><P></P><P>When the Primary ISP recovers they new sessions ride the primary ISP path.&nbsp; Because the VPN is up it does not build a new session on the primary path.&nbsp; I have to manually delete the session that the VPN tunnel has on the secondary interface.&nbsp; Then the tunnel is on the primary interface.</P><P></P><P>Not what I want to happen.</P><P></P><P>Any feedback.</P></BODY></HTML> Wed, 06 Feb 2013 17:21:02 GMT https://live.paloaltonetworks.com/t5/general-topics/pbr-on-5-0-with-redundant-internet-connections-questions/m-p/10434#M7692 JColby 2013-02-06T17:21:02Z https://live.paloaltonetworks.com/t5/general-topics/pbr-on-5-0-with-redundant-internet-connections-questions/m-p/10435#M7693 <HTML><HEAD></HEAD><BODY><P>JColby:</P><P></P><P>Take a look at this document:</P><P></P><P><A __default_attr="3376" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>It will take a little time to wrap your head around, but it works quite well.&nbsp; I set something like this up in the lab not too long ago and it worked like a charm.&nbsp; Essentially, you'll have 2 VPN tunnels leaving your dual-ISP site, one through each ISP.&nbsp; This involves configuring a 2nd virtual router, and then policy-forwarding one of the VPN tunnels through the 2nd ISP.&nbsp; At that point, you should be able to configure a pair of overlapping/redundant routes that point at the VPN tunnels as their next-hop.&nbsp; Using routing metrics you can influence which tunnels are preferred. </P><P></P><P>Hope that helps.&nbsp; </P></BODY></HTML> Tue, 26 Feb 2013 21:31:19 GMT https://live.paloaltonetworks.com/t5/general-topics/pbr-on-5-0-with-redundant-internet-connections-questions/m-p/10435#M7693 jvalentine 2013-02-26T21:31:19Z