https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307632#M79898 <P>Hello Folks,</P><P>I'm planning on getting two new Palo Alto firewalls for setting up IPSec tunnels. I think the first tunnel will be a primary tunnel and the second tunnel will be back up. I'm tempted to set up my new firewalls as active/passive HA, to make life easy. But to be sure, please could someone suggest what are the advantages of using active/passive compared to active/active for dual IPSec tunnels?</P><P>&nbsp;</P><P>I'm going to be using BGP over the IPSec tunnels and BGP to the LAN, so if I go for the active/passive option, it just means i dont have to double up my BGP peers...&nbsp;</P><P>&nbsp;</P><P>Any links to the best practices for BGP and IPSec HA would be appreciated... thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Jan 2020 02:12:27 GMT Jedi_D 2020-01-23T02:12:27Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307632#M79898 <P>Hello Folks,</P><P>I'm planning on getting two new Palo Alto firewalls for setting up IPSec tunnels. I think the first tunnel will be a primary tunnel and the second tunnel will be back up. I'm tempted to set up my new firewalls as active/passive HA, to make life easy. But to be sure, please could someone suggest what are the advantages of using active/passive compared to active/active for dual IPSec tunnels?</P><P>&nbsp;</P><P>I'm going to be using BGP over the IPSec tunnels and BGP to the LAN, so if I go for the active/passive option, it just means i dont have to double up my BGP peers...&nbsp;</P><P>&nbsp;</P><P>Any links to the best practices for BGP and IPSec HA would be appreciated... thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Jan 2020 02:12:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307632#M79898 Jedi_D 2020-01-23T02:12:27Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307759#M79916 <P>Hello,</P><P>I would say it doesnt matter with regards to a VPN tunnel. I think you have to choose if you actually require an A/A HA scenario. If you can get away with a A/P HA, I would say do that.</P><P>&nbsp;</P><P>Regards,</P> Thu, 23 Jan 2020 22:04:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307759#M79916 OtakarKlier 2020-01-23T22:04:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307772#M79917 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52883">@Jedi_D</a>,</P><P>Agreed with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>;&nbsp;in your situation it doesn't matter if you deploy A/P or A/A as far as the VPN tunnels go, makes no change to how you are going to do things really. There aren't a lot of use cases where I would really recommend an Active/Active Palo Alto deployment to be honest, there are far too many issues that are present in A/A deployments.</P> Fri, 24 Jan 2020 03:17:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307772#M79917 BPry 2020-01-24T03:17:44Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307789#M79918 <P>Thank you people,&nbsp;</P><P>I think I will stick to A/P</P><P>I'm going to do BGP as well, and even that can work fine with A/P instead of having 2 separate BGP peers with A/A and BGP metrics.&nbsp;</P><P>i'm just wondering why people would have chose A/A then have issues with apps later on...</P> Fri, 24 Jan 2020 09:18:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnels-active-passive-or-active-active/m-p/307789#M79918 Jedi_D 2020-01-24T09:18:21Z