Multiple ISPs with Path Monitoring

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Multiple ISPs with Path Monitoring

L3 Networker

Hi All

 

Need a sanity check.  When deploying multiple ISPs using path monitoring, instead of policy based forwarding,  should the 2nd ISP become unreachable?  It makes sense that it does, but it wasn't mentioned in Palo article about it

 

Setup would be

ISP1 (e1/1)  0.0.0.0/0  1.1.1.254  priority 10 (with path monitoring)

ISP2 (e1/4) 0.0.0.0/0 2.2.2.254  priority 200

 

VPN tunnels for both ISP1 and ISP2 using tunnel monitor

 

With this config:

 

ISP1 tunnel is up,  e1/1 is pingable from outside

ISP2 tunnel is down,  e1/4 is NOT pingable from outside

 

 

 

 

 

1 accepted solution

Accepted Solutions

Hi @securehops ,

If you don't use PBF this behaviour is expected.

 

Without PBF, firewall will try to establish VPN with source IP assigned on eth1/4, but it will forward the traffic over eth1/1 and ISP1, where most probably traffic will be dropped, since it is sourced from IP that doesn't belong to this ISP.

 

In this case, ISP2 tunnel should come up, in case of failover - path monitor fail and remove default over ISP1

and ISP1 tunnel will go down, respectively.

 

If you prefer to have both tunnels IP and ready, you could create a PBF so traffic sourced from eth1/4 to always go over ISP2.

View solution in original post

4 REPLIES 4

Hi @securehops ,

If you don't use PBF this behaviour is expected.

 

Without PBF, firewall will try to establish VPN with source IP assigned on eth1/4, but it will forward the traffic over eth1/1 and ISP1, where most probably traffic will be dropped, since it is sourced from IP that doesn't belong to this ISP.

 

In this case, ISP2 tunnel should come up, in case of failover - path monitor fail and remove default over ISP1

and ISP1 tunnel will go down, respectively.

 

If you prefer to have both tunnels IP and ready, you could create a PBF so traffic sourced from eth1/4 to always go over ISP2.

Hi @aleksandar.astardzhiev 

 

This is what I figured but wanted to be sure I was not missing something.  

Interesting idea about the PBF rule for ISP 2.  

 

Does it make more sense to do PBF instead of path monitoring? Wasn’t sure if Palo still recommends PBF

 

Also, I was wondering is there a best practice on what IP address to use for the PBF monitor or static route path monitoring?   I see some people using the ISPs default gateway.  I can see scenario where DG is reachable but an upstream issue with ISP could prevent internet access.   I see others using something like 8.8.8.8 but not sure that’s the best idea either 

 

any thoughts ?

 

 

 

Hey @securehops ,

I personally always try to avoid PBF, primarily because ofter engineers forget to check it during pacy troubleshooting.

However the truet it PBF could be very helpful in some situations.

 

I would say:

- If you need simple failover between two ISP absolutely go for path monitor on static route

- But in addition to the failover you need faster recovery for the IPsec tunnel you will need PBF to keep the second tunnel ready to take over.

 

Don't forget to you either case you will need tunnel-monitor or PBF with path-monitor for the routing over the tunnel. Once primary tunnel goes down, you need to switch the route to second tunnel. You could again create PBF that will monitor the path over the tunnel and when down, to switch to second. This was the prefered way for IPsec failover way-way back. May preferable way is to use tunnel-monitor, so firewall will "disable" the static route pointing to tunnel1 and falback to route pointing to second tunnel.

 

Regarding the monitored host...I am not the best person to define best practises. I have had few cases where path-monitor was required and in all cases we used 8.8.8.8 and it was fine.

Hello

 

Is there a way to enable preemption? Meaning if my primary ISP is back can I switch back to the primary tunnel automaically?

 

Thank You

  • 1 accepted solution
  • 2154 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!