This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dual/HA IPsec tunnels with 2 ISPs ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual/HA IPsec tunnels with 2 ISPs ?

essnet
L4 Transporter

‎05-29-2012 06:36 AM

Hello,

I have 2 PaloAltos, one is running on robust and redundant Corp internet ISP, another one on a remote location with 2 public  ADSL (and miserable quality ofc !). My goal is to have a redundant IPsec link between the two PaloAltos :

tmp.png

How would you achieve this ? I have several scenarios in mind:

  • PA2 builds 2 tunnels (one from each ISP) all time and routing is done with BGP (or any other routing protocol), so if a link fails, that routing protocol will timeout and route will vanish from each PA, so traffic will fail to the remaining one.
  • PA2 builds 1 tunnel at a time : a PBF will detect if ISP1 is dead and failover traffic to ISP2. This solution may not work as my lowcost ISPs don't have same public adress, so it would mean that PA2 needs to reset old tunnel before creating new one (does it even support this automatically?). What would be the timeframe of such failover also ?

thank you in advance for your suggestions, feedback and questions !

Regards,

1 REPLY 1

rmonvon
L6 Presenter

‎05-30-2012 12:12 PM

Hi...I believe both scenarios will work.  The 1st scenario is using dynamic routing and one path will be selected over the other.  This requires only dynamic routing to be enabled.

The 2nd method require some static routing and PBF.  You can configure PBF to disable the forwarding rule should the next hop is down, and traffic will take the 2nd path.  The failover time is configurable when you set the monitoring of the next-hop, so you can adjust this to fit your enviroment.

Thanks.

  • 1903 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks