IPSec tunnel as backup link of MPLS connection

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

IPSec tunnel as backup link of MPLS connection

Hi,

we have MPLS link between two sites. Right now I want to setup backup link with IPSec tunnel. schema of network connection is as on picture.

please help me to configure Palo Alto device to monitor MPLS link and switch to IPSec tunnel when MPLS link will be down.

Switch on right site has IPSLA ready that check connection to MPLS router and change routing automatically to PA.

Palo Alto has two routing record for the same sub net with different metric and adm distance but it don't swap to IPSec automatically. Please tell me how I should configure PA to support this scenario without my interaction ?

What should I use PBF, redistribution profiles under VR - static, add one VR more, Monitor tunnel? 

Visio-pa_mpls_Ipsec.jpg

Thank you for advice!

Tags (3)

Accepted Solutions
Highlighted
L4 Transporter

Hello Jakub,

Yes we will have to use PBF to have auto failover if the primary link is failed.

In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.

Below are some doc suggestions to understand and customize your implementation.

How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

Dual ISP Branch Office Configuration

Thanks

View solution in original post


All Replies
Highlighted
L3 Networker

Hi,

I think you should use PBF for this since only by using PBF you can achieve automatic failover. Unless you have a dynamic routing protocol running in your MPLS networks, there is no way that the firewall knows that the route to your MPLS cloud was down.

Highlighted
L4 Transporter

Hello Jakub,

Yes we will have to use PBF to have auto failover if the primary link is failed.

In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.

Below are some doc suggestions to understand and customize your implementation.

How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

Dual ISP Branch Office Configuration

Thanks

View solution in original post

Highlighted
L5 Sessionator

Hi,

Fully agree with Phoenix. Just be sure that the juniper on remote site be able to send traffic in VPN too (in case of vpn failure) alse ... it will fail :-)

Hope help.

v.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!