This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Dual ISP with VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP with VPN

MikeC
L3 Networker

‎09-19-2018 06:04 PM

I'm working on configuring a branch office firewall with two ISPs and Site-to-Site VPN to our data center.  The data center side has only 1 ISP connection

 

I'm reviewing this article again, as I've used it in the past.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

It's been a while since I've done this setup, but something doesn't seem right. I get the two VR idea, since the traffic sourcing from the firewall does not use PBR. My issue is with the default route. 

 

Let's examine

 

Interface configuration:

Configure two interfaces:

Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone

Eth 1/4: 10.80.40.38/24  (connection to ISP2) in the untrust zone

 

Virtual routers:

There are two virtual routers:

VR1: Primary (ISP1) (Ethernet1/3)

VR2: Secondary (ISP2) (Ethernet1/4)

 

 

On Primary VR1, they have a default route pointing to the gateway of ISP1  0.0.0.0/0 10.185.140.1.  Then, on Secondary VR2, they do not add a default route.  I also saw a post in the comments that you need a static default route configured on both VR1 and VR2

 

I believe both are incorrect, unless I'm missing something.  If you add a static route pointing to Primary ISP1 on VR1, it will cause issues with failover, even if you also have a default route on VR2.

 

I'm thinking they meant to create the default route to the next hope for ISP2.  If correct, wouldn't that be on VR2?

 

1 person had this problem.
0 Likes Likes
3 REPLIES 3

theonewhoknocks
L2 Linker

‎09-20-2018 03:11 AM

Hi @MikeC,

We're running this setup on one of our sites.
Both VR has default routes pointing to each individual ISP GW.

VR1 has my internal LAN segments and ISP1 interface. VR2 has only ISP2 interface. VR1 has a backup default-route pointing to next VR (VR2)

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎09-20-2018 07:41 AM

Hello,

This can be accomplished with 1 VR and a PBF rule or dynamic routing (with weighted routes). Since both tunnels are up but you will only be using one at a time (assumption).  A 1 VR solution works well.

 

Regards,

0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎09-21-2018 04:16 AM

there's a picture of the routes on the secondary-vr further down in the article that shows it does have a default route:

 

 13842_Routes for VPNs.PNG

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2658 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks