Redundant internet link config for 2 PAs at remote sites connected via L3

Reply
L1 Bithead

Redundant internet link config for 2 PAs at remote sites connected via L3

Hi, I have read a few articles regarding internet redundancy using a primary and backup ISP link on a single Palo but can someone please explain (if it's possible) how one might achieve redundancy using a primary ISP link on 1 Palo with failover to a backup ISP link on another Palo at a remote WAN site connected to the primary site via L3? 

 

Cheers,

 

Michelle

L7 Applicator

Re: Redundant internet link config for 2 PAs at remote sites connected via L3

Hello,

If I understand your question correctly, you want ISP A into the active (Primary PAN) and ISP B into the standby unit. Are you running Active/Passive or Active/Active?

 

If A/P on your HA, then this is possible with just the link and path monitoring. i.e. if the link or path for ISP A goesn down then the PAN triggers a failover to the standby unit.

 

I have A/P setup and do the same thing on my PAN's and use OSPF for them to learn routes.

 

Hope this helps.

L1 Bithead

Re: Redundant internet link config for 2 PAs at remote sites connected via L3

Thanks for such a quick response! We do have an active/passive HA on the Primary PAN but I was told that for HA to work they need to be connected via a L2 connection so for us I don't think it's possible to have HA between primary and backup PAN's as we have a L3 WAN only. Please correct me if this is wrong and I will follow up with the engineer that implemented the HA. So we currently have 2 physical PANs in A/P HA at Primary site and 1 virtual PAN at backup site. 

2018-12-04_090028.jpg

 

L7 Applicator

Re: Redundant internet link config for 2 PAs at remote sites connected via L3

Hello,

This is doable since the HA port configs allow for gateways, etc. I would caution this approach however since if the wan link goes down, both PAN's become active, etc. I would advise a secondary link between the two for redundancy. Even somthing simple as a VPN tunnel, that way if the wan link goes down, the VPN takes over for the second site, etc.

 

Regards,

L1 Bithead

Re: Redundant internet link config for 2 PAs at remote sites connected via L3

Hmmm ok perhaps this is why the engineer implemented the HA in the current layout then. Given we already have the backup PAN at the remote site then it is probably not necessary to screw with the HA config - unless of course this is required in order for me to set up the redundant ISP?

L7 Applicator

Re: Redundant internet link config for 2 PAs at remote sites connected via L3

Hello,

So it all depends. I have seen this before however the priary site had a HA pair but traffic to the internet was routed out its independant site. Using OSPF we assigned costs to the routes so that siteA traffic went our PAN A, etc.

 

It really depends on the companies level of comfort with downtime and other requirements.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!