This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dual PA220 Active-Active with Active-Active Service Provider Links and GP Autofailover

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual PA220 Active-Active with Active-Active Service Provider Links and GP Autofailover

Go to solution
Tobi_Babatunde
L1 Bithead

‎08-02-2022 05:27 AM

Hello Family,

 

I have a pair of PA220 in Active/Standby mode, I know datasheet of PA220 is as below:

 

Firewall throughput (HTTP/appmix)* 545/535 Mbps

Threat Prevention throughput (HTTP/appmix)† 265/320 Mbps

IPsec VPN throughput‡ 550 Mbps

Max sessions 64,000

New sessions per second§ 4,200

 

I already have a 250Mbps service provider internet link, and would like to add another due to office getting bigger, but would prefer I utilize the complete 500Mbps I'd have fully without getting the SDWAN license, and the PANs and links should also act as failover for each other incase one goes down.

 

I want to terminate one ISP on say PAN1 and the other on PAN2 and have them in a HA situation that they are both active. Also, I'd be doing IPSec to my workload in AWS, I'm guessing I'd create a tunnel from both PANs to AWS and probably utilize ECMP.

 

From my GP perspective, how do I also make sure public IPs from both ISPs are referenced to give me better availability.

 

Has anyone done this use case and have any pointers or blogged about it?

 

Thanks.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎08-02-2022 07:07 PM

@Tobi_Babatunde,

Why aren't you just using ECMP? That would be the more traditional approach to this and you aren't really losing anything. If you did this as you described you'd still only load balance on a session basis, which is already what ECMP does. Sounds like you're trying to over engineer a solution here when you don't need to outside of having some other considerations that you don't have listed here. 

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
BPry
Cyber Elite
Cyber Elite

‎08-02-2022 07:07 PM

@Tobi_Babatunde,

Why aren't you just using ECMP? That would be the more traditional approach to this and you aren't really losing anything. If you did this as you described you'd still only load balance on a session basis, which is already what ECMP does. Sounds like you're trying to over engineer a solution here when you don't need to outside of having some other considerations that you don't have listed here. 

0 Likes Likes
  • 1 accepted solution
  • 1289 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks