IP Sec VPN Failover Paloalto FW – Cisco IOS

Reply
Highlighted
L1 Bithead

IP Sec VPN Failover Paloalto FW – Cisco IOS

Hello!

 

How to configure a backup VPN?

The main VPN configured and worked, path monitoring worked Screenshot_9.jpg

Community Manager

Re: IP Sec VPN Failover Paloalto FW – Cisco IOS

a 'clean' (but not the only) solution is to put the second ISP on a separate VirtualRouter and configure the second tunnel on that VR. Then use PBF to direct traffic inside the tunnel https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: IP Sec VPN Failover Paloalto FW – Cisco IOS

@Tarczynski-SA , you can create a secondary tunnel and add route of remote LAN with higher metric through that tunnel. you need to have tunnel monitoring enabled in primary to remove the primary static route from the routing table, so once the primary tunnel is down, the route willl be trough secondary tunnel, and the tunnel will come up.

L1 Bithead

Re: IP Sec VPN Failover Paloalto FW – Cisco IOS

I configured the second tunnel and add on VR new route with metric 20, it looks like:

main route 10.28.28.0/24 tunnel5 metric 5

backup route 10.28.28.0/24 tunnel6 metric 20

 

How to Configure Tunnel monitor?

Tunnel monitor to configure on main tunnel?

What insert to Destination IP?

Example: 

Ip address interface Tunnel 5 172.16.30.1 

Ip address interface Tunnel 6 172.16.30.2

and Tunnel monitor 172.16.30.1?

Or it is wrong? 

 

 

L3 Networker

Re: IP Sec VPN Failover Paloalto FW – Cisco IOS

@Tarczynski-SA , You need to configure tunnel monitor on main tunnel. Destination IP can be any pingable IP reachable through tunnel(IP at cisco side). Please note that the source of this monitor ping will be tunnel IP, make sure this communication is added in proxy ID ( 172.16.30.1 to destination). Monitor profile should be 'fail-over'.

 

Follow this document for tunnel monitor configuration,

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!