Dual ISP with VPN

L3 Networker

Dual ISP with VPN

I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center.  The data center side has only 1 ISP connection

 

I'm reviewing this article again, as I've used it in the past.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route. 

 

Let's examine

 

Interface configuration:

Configure two interfaces:

Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone

Eth 1/4: 10.80.40.38/24  (connection to ISP2) in the untrust zone

 

Virtual routers:

There are two virtual routers:

VR1: Primary (ISP1) (Ethernet1/3)

VR2: Secondary (ISP2) (Ethernet1/4)

 

 

On Primary VR1, they have a default route pointing to the gateway of ISP1  0.0.0.0/0 10.185.140.1.  Then, on Secondary VR2, they do not add a default route.  I also saw a post in the comments that you need a static default route configured on both VR1 and VR2

 

I believe both are incorrect, unless I'm missing something.  If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.

 

I'm thinking they meant to create the default route to the next hope for ISP2.  If correct, wouldn't that be on VR2?

 

Highlighted
L2 Linker

Re: Dual ISP with VPN

Hi @MikeC,

We're running this setup on one of our sites.
Both VR has default routes pointing to each individual ISP GW.

VR1 has my internal LAN segments and ISP1 interface. VR2 has only ISP2 interface. VR1 has a backup default-route pointing to next VR (VR2)

 

L7 Applicator

Re: Dual ISP with VPN

Hello,

This can be accomplished with 1 VR and a PBF rule or dynamic routing (with weighted routes). Since both tunnels are up but you will only be using one at a time (assumption).  A 1 VR solution works well.

 

Regards,

Community Manager

Re: Dual ISP with VPN

there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:

 

 13842_Routes for VPNs.PNG


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!