Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

L3 Networker

Hi Team,

 

I am just wondering on how to made Dual IPSec VPN Tunnel UP at the same time with redundant ISP link after mapping each ISP in different VR.

 

IPSec.PNG

 

We have configured dual VR. In that, Primary ISP port is mapped in Primary VR and Secondary ISP port is mapped in Secondary VR.

 

Due to this above scenario, in order to made the Phase1 UP for the Secondary IPSec Tunnel is not happening because we have given Default route forwarding to the Primary ISP in the Primary VR.

 

So all the traffic is getting established via the Primary ISP. And then i have tried creating PBF policy for traffic sourcing from Trusted interface to Tunnel N/Ws to forward on the Secondary IPSec Tunnel Interface. However, still the Phase1 of the Secondary Tunnel is not coming UP. 

 

Is there are any option to have this requirement accompolished. I am eagerly waiting for your inputs on the same. Thanks in advance !!

 

Best Regards,

Sahul Hameed

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

While you dont need the dual-VR's, to get the tunnel up that doesnt have traffic flowing over it use the CLI test command.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

Hope that helps.

Well. based on the picture you uploaded, you seem to be familiar with the proper document that discusses Dual VPN with failover.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

I have set this up 2x with customers and used the above document as my bible.

 

Steve

Help the community: Like helpful comments and mark solutions

L4 Transporter

@Sethupathi 

While IP addresses on the tunnel interfaces isn't a requirement, in your case it would be recommended. Then you can enable tunnel monitoring as they cover in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK shared by SteveCantwell. This along with Dead Peer Detection are good ways to keep the tunnel up and operational. 

 

Another method is to use an IP address on the far end VPN device in a /32 or /30 etc that can be in a route specific to that tunnel. Either use a dynamic routing protocol for the constant neighbor traffic or a static route and a monitoring device that would send an ICMP to the far end of that VPN tunnel device keeping "interresting" traffic going over the tunnel.

  • 4433 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!