There are serveral resource available for Dual ISP and with Failover VPN on Live community such as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi... . But here are still lake of of some information in documents, example partner IP address for VPN tunnel, IP Monitor on VPN tunnel(I don't know there this IP address take from). If someone can provide more details with this deployment senario it would be better to understand this.
I've deleted your duplicate post
here's another good resource for VPN configurations:
-The tunnel IP should be negotiated with your remote contact person (or chosen by yourself if you are in control of both endpoints): it is preferably chosen from subnet that is not in either side's local subnets so there is no overlap (eg. site A uses 192.168.0.0, site B uses 172.16.0.0, so it is good to use 10.0.0.0 for the tunnels)
- IP Monitor
- Partner IP: i suppose you mean peer IP? this is assigned by the remote ISP and you will need to find that out
Hi Community Team,
What I want to know is that I have two Internet connection and I configure IPsec Site to Site VPN to other location with one internet connection. ISP1 is primary Link for VPN connection to branch office location, in case ISP1 internet disconnect, VPN have to up with internet connection on ISP1 to the same branch location.
Please see diagram for detail.
I do this quite a bit and the following works well for me. Setup both tunnels to router at 188.8.131.52 from each of your PAN's. Then I setup OSPF between the three firewalls/routers, PAN 184.108.40.206 would have default costs and 220.127.116.11 would have slightly higher costs say 50. Static routes work as well! Then I create a Policy based routing, PBF, rule that sends the traffic down the prefferred ISP , ISP1, with a monitor and check the box that says 'Disable this rule if the nexthop/monitor ip is unreachable'. PBF's take effect prior to the Virtual Router rules.
There usually is a few second delay in failover but works everytime.
Please let me know if you need additional details.
Great respond, I have some question with tunnel monitor. what is the IP address that need to monitor? do I need to assign IP address on interface tunnel? If I need to assign an IP address on interface tunnel, do I need to configure IP address of interface tunnel on proxy ID?
As for the tunnel monitor I do the following:
Use an IP on the far side of the tunnel that will always be up but has little importance, maybe a loopback interface on the far side, the reason is I have a static route that forces the PAN to route that IP over ISP1. That way if it goes down, its not a huge factor from the view point of the subnet behind the PAN.
While you dont need to assign an IP to the tunnel interface, I usually do for troubleshooting. A trace route will show the tunnel IP so I know from that IP if the traffic went over ISP1 or ISP2.
ProxyID's are used if device 18.104.22.168 cannot perform route based VPN's.
Hope this helps out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!