Dual ISP with VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual ISP with VPN

L3 Networker

I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center.  The data center side has only 1 ISP connection

 

I'm reviewing this article again, as I've used it in the past.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route. 

 

Let's examine

 

Interface configuration:

Configure two interfaces:

Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone

Eth 1/4: 10.80.40.38/24  (connection to ISP2) in the untrust zone

 

Virtual routers:

There are two virtual routers:

VR1: Primary (ISP1) (Ethernet1/3)

VR2: Secondary (ISP2) (Ethernet1/4)

 

 

On Primary VR1, they have a default route pointing to the gateway of ISP1  0.0.0.0/0 10.185.140.1.  Then, on Secondary VR2, they do not add a default route.  I also saw a post in the comments that you need a static default route configured on both VR1 and VR2

 

I believe both are incorrect, unless I'm missing something.  If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.

 

I'm thinking they meant to create the default route to the next hope for ISP2.  If correct, wouldn't that be on VR2?

 

3 REPLIES 3

L2 Linker

Hi @MikeC,

We're running this setup on one of our sites.
Both VR has default routes pointing to each individual ISP GW.

VR1 has my internal LAN segments and ISP1 interface. VR2 has only ISP2 interface. VR1 has a backup default-route pointing to next VR (VR2)

 

Cyber Elite
Cyber Elite

Hello,

This can be accomplished with 1 VR and a PBF rule or dynamic routing (with weighted routes). Since both tunnels are up but you will only be using one at a time (assumption).  A 1 VR solution works well.

 

Regards,

Cyber Elite
Cyber Elite

there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:

 

 13842_Routes for VPNs.PNG

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2349 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!