VPN Tunnels between two PA over an MPLS infrastructure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Tunnels between two PA over an MPLS infrastructure

I have a scenario where I'm creating a VPN tunnel between two PAs. The infrastructure between the two PA is MPLS, each PA has two BGP links (Primary 50Mbps) and (Secondary 10Mbps). I'm terminating the VPN on the loopback of the PAs, however, i noticed that the VPN tunnel is initiated from the primary link (50Mbps) of the first PA and entering the second PA through Secondary Link (10Mbps). Using the BGP Import I made the primary neighbor with local preference and weight 110 and the secondary neighbor with local preference and weight 90. I thought this will force the VPN tunnel to use the primary links from both sides but it seems not working.

 

Any Advice?

1 accepted solution

Accepted Solutions

L2 Linker

With this config you are only controlling the outgoing interface of each PA. This will not affect the incoming interface on the other side (assuming both links connect to the same provider and MPLS cloud).

 

You will want to prepend your advertisements out the secondary links to make sure incoming traffic is not received on them.

View solution in original post

4 REPLIES 4

L2 Linker

With this config you are only controlling the outgoing interface of each PA. This will not affect the incoming interface on the other side (assuming both links connect to the same provider and MPLS cloud).

 

You will want to prepend your advertisements out the secondary links to make sure incoming traffic is not received on them.

thanks for your reply,

I really didn't get what do you mean exactly, can you explain how to do this. 

Hello,

In the past I have had sites with multiple lines. What I did was to use OSPF between the two VPN endpoints with static routes and policy based forwarding.

 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/use-case-pbf-for-outbound-acc...

 

Let me know if you have furher questions.

 

Cheers!

The solution was to use the wight to force the outgoing traffic to use the primary link by giving higher weight to the primary and to use MED to force the incoming traffic to use the primary interface by giving it lower MED.

  • 1 accepted solution
  • 2805 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!