This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPSec tunnel as backup link of MPLS connection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec tunnel as backup link of MPLS connection

Go to solution
jakub_gniazdowski
Not applicable

‎02-22-2013 03:42 AM

Hi,

we have MPLS link between two sites. Right now I want to setup backup link with IPSec tunnel. schema of network connection is as on picture.

please help me to configure Palo Alto device to monitor MPLS link and switch to IPSec tunnel when MPLS link will be down.

Switch on right site has IPSLA ready that check connection to MPLS router and change routing automatically to PA.

Palo Alto has two routing record for the same sub net with different metric and adm distance but it don't swap to IPSec automatically. Please tell me how I should configure PA to support this scenario without my interaction ?

What should I use PBF, redistribution profiles under VR - static, add one VR more, Monitor tunnel? 

Visio-pa_mpls_Ipsec.jpg

Thank you for advice!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Phoenix
L4 Transporter
In response to bartoq

‎11-27-2013 04:41 AM

Hello Jakub,

Yes we will have to use PBF to have auto failover if the primary link is failed.

In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.

Below are some doc suggestions to understand and customize your implementation.

How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

Dual ISP Branch Office Configuration

Thanks

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
3 REPLIES 3

Go to solution
bartoq
L3 Networker

‎11-27-2013 02:56 AM

Hi,

I think you should use PBF for this since only by using PBF you can achieve automatic failover. Unless you have a dynamic routing protocol running in your MPLS networks, there is no way that the firewall knows that the route to your MPLS cloud was down.

0 Likes Likes

Go to solution
Phoenix
L4 Transporter
In response to bartoq

‎11-27-2013 04:41 AM

Hello Jakub,

Yes we will have to use PBF to have auto failover if the primary link is failed.

In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.

Below are some doc suggestions to understand and customize your implementation.

How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

Dual ISP Branch Office Configuration

Thanks

1 person found this solution to be helpful.
0 Likes Likes

Go to solution
VinceM
L5 Sessionator

‎11-27-2013 11:01 AM

Hi,

Fully agree with Phoenix. Just be sure that the juniper on remote site be able to send traffic in VPN too (in case of vpn failure) alse ... it will fail 🙂

Hope help.

v.

0 Likes Likes
  • 1 accepted solution
  • 5788 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks