Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

Reply
L3 Networker

Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

Hi Team,

 

I am just wondering on how to made Dual IPSec VPN Tunnel UP at the same time with redundant ISP link after mapping each ISP in different VR.

 

IPSec.PNG

 

We have configured dual VR. In that, Primary ISP port is mapped in Primary VR and Secondary ISP port is mapped in Secondary VR.

 

Due to this above scenario, in order to made the Phase1 UP for the Secondary IPSec Tunnel is not happening because we have given Default route forwarding to the Primary ISP in the Primary VR.

 

So all the traffic is getting established via the Primary ISP. And then i have tried creating PBF policy for traffic sourcing from Trusted interface to Tunnel N/Ws to forward on the Secondary IPSec Tunnel Interface. However, still the Phase1 of the Secondary Tunnel is not coming UP. 

 

Is there are any option to have this requirement accompolished. I am eagerly waiting for your inputs on the same. Thanks in advance !!

 

Best Regards,

Sahul Hameed

Tags (1)
L7 Applicator

Re: Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

Hello,

While you dont need the dual-VR's, to get the tunnel up that doesnt have traffic flowing over it use the CLI test command.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

Hope that helps.

L4 Transporter

Re: Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

Well. based on the picture you uploaded, you seem to be familiar with the proper document that discusses Dual VPN with failover.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

I have set this up 2x with customers and used the above document as my bible.

 

Steve

Highlighted
L4 Transporter

Re: Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

@Sethupathi 

While IP addresses on the tunnel interfaces isn't a requirement, in your case it would be recommended. Then you can enable tunnel monitoring as they cover in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK shared by SteveCantwell. This along with Dead Peer Detection are good ways to keep the tunnel up and operational. 

 

Another method is to use an IP address on the far end VPN device in a /32 or /30 etc that can be in a route specific to that tunnel. Either use a dynamic routing protocol for the constant neighbor traffic or a static route and a monitoring device that would send an ICMP to the far end of that VPN tunnel device keeping "interresting" traffic going over the tunnel.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!