IP Sec VPN Failover Paloalto FW – Cisco IOS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP Sec VPN Failover Paloalto FW – Cisco IOS

L1 Bithead

Hello!

 

How to configure a backup VPN?

The main VPN configured and worked, path monitoring worked Screenshot_9.jpg

4 REPLIES 4

Cyber Elite
Cyber Elite
a 'clean' (but not the only) solution is to put the second ISP on a separate VirtualRouter and configure the second tunnel on that VR. Then use PBF to direct traffic inside the tunnel https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

@Tarczynski-SA , you can create a secondary tunnel and add route of remote LAN with higher metric through that tunnel. you need to have tunnel monitoring enabled in primary to remove the primary static route from the routing table, so once the primary tunnel is down, the route willl be trough secondary tunnel, and the tunnel will come up.

I configured the second tunnel and add on VR new route with metric 20, it looks like:

main route 10.28.28.0/24 tunnel5 metric 5

backup route 10.28.28.0/24 tunnel6 metric 20

 

How to Configure Tunnel monitor?

Tunnel monitor to configure on main tunnel?

What insert to Destination IP?

Example: 

Ip address interface Tunnel 5 172.16.30.1 

Ip address interface Tunnel 6 172.16.30.2

and Tunnel monitor 172.16.30.1?

Or it is wrong? 

 

 

@Tarczynski-SA , You need to configure tunnel monitor on main tunnel. Destination IP can be any pingable IP reachable through tunnel(IP at cisco side). Please note that the source of this monitor ping will be tunnel IP, make sure this communication is added in proxy ID ( 172.16.30.1 to destination). Monitor profile should be 'fail-over'.

 

Follow this document for tunnel monitor configuration,

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel...

  • 3634 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!