How can I get dual ISP with DUAL IPSEC Tunnel to work with static routes and no tunnel monitor?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How can I get dual ISP with DUAL IPSEC Tunnel to work with static routes and no tunnel monitor?

L3 Networker

HI,

 

How can I get dual ISP with DUAL IPSEC Tunnel to work with static routes and no tunnel monitor? I want the IPSEC tunnel to only failover when the primary circuit goes down. Problem I am having is the static route metrics is not taking over when the primary ISP and primary IPSEC tunnel goes down. Metric is 10 for primary tunnel and 20 for backup tunnel.

 

Thanks

3 REPLIES 3

L7 Applicator

My recollection is that you really have to use VPN monitor in this scenario because without it the tunnel interface does not go down and therefore your primary route is never removed from the routing table.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Cyber Elite
Cyber Elite

Hello,

I have always looked at the type of site it is, i.e. if its a stub then I used Policy Based Forwarding (but you need a monitor) and a static route for the secondary. That is if primary goes down, the PBF doesnt take affect and so the route takes the static route. You can also possible accomplish this with dynamic routing such as OSPF on both sides and then weigh the routes accordingly, e.g. higher on the secondary, etc.

 

Hope that points you in the right direction.

 

Regards,

L7 Applicator
As @pulukas already mentionned, some kind of monitoring is needed. Without it the primary route will stay in your routing table.
With PAN-OS 8 ther is also a possibility to configure a monitor directly for the static route: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/configure-path-monitoring...
  • 2926 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!