Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-28-2018 11:54 AM - edited 01-28-2018 02:55 PM
Hello Everyone
I know there is a fair amount of information on this topic but I have a few issues/questions
I have a PA220 with PANOS 8,0,7. My questions are relating to dual ISP connectivity. I would like to setup my PA with a backup ISP connection. I do have IPsec tunnels. But I am allowing for the second tunnel to negotiate when the backup ISP comes up. So both tunnels don't have to be "up and ready"
I have read the following article which is based on 2 VRs with PBFs to push traffic to the primary ISP with monitoring. When monitoring fails it will "failover" to use the second ISP
I have also read the following article which I believe is now available in PANOS 8. This configuration use 2 default routes. The first 1 will have a lower metric. Let's say 10 with monitoring enabled and the second default route has a higher metric let's say 50.
Basically can I achieve dual ISP with tunnels available on both untrusted ISP connections with the second article (default routes and path monitoring) Again I don't mind the short amount of time for tunnel negotiate. It's a branch office PA and I don't really want to configure 2 VRs.
Thank you, really appreciate any help on this
01-29-2018 01:27 AM
Hi @Nick.Spender!
yes, this should work
The first article highlights a scenario that guarantees minimum downtime because both your tunnels are up. If a short downtime is not a big concern you can simply use the static route removal in PAN-OS 8.0
01-29-2018 02:28 AM
Thank you Reaper.
I am testing path monitoring route now.....lets see how it goes
Thank you for all your comments and replies
01-29-2018 06:10 AM - edited 01-29-2018 06:11 AM
I am setting up each above article, currently testing the path monitoring method for static routes. When I fail over the ISP I get a real strange issue. its not tearing down the tunnel connected to 1/1
01-29-2018 06:19 AM
Did you enable tunnel monitor in the ipsec configuration?
01-29-2018 06:31 AM
ah, that's a problem...
ok so how about you only create one tunnel locally, since the remote end will remain the same destination IP, and create a dynamic tunnel on the remote end (identification of PANW peer by means of email address or hostname for phase1 instead of it's IP)
then you could simply fail over the 1 tunnel to the second ISP and your remote peer will simply see a new tunnel com from a different source ip
01-29-2018 06:58 AM
When you say "hen you could simply fail over the 1 tunnel to the second ISP and your remote peer will simply see a new tunnel com from a different source ip" is that a manual process?
Thanks again 😉
01-29-2018 07:23 AM
That should happen automnatically: your primary default gateway fails so your tunnel will resort to using the second default gateway to try and get to the remote end
thinking about this a bit more, maybe I should try reproduction in the lab... (haven't set this scenario up live yet, there may be complications)
there are a few complicating factors that could ruin the party
01-29-2018 07:27 AM
On a side note...Do you think the other article (the 2 VR method) would cause the same issues?
01-29-2018 07:33 AM
Hello @Nick.Spender,
I would just like to point out that you do not need two seperate VR's for this type of scneario. I have done it multiple times with just 1 VR and PBF with static route failover. THe other way is to use a dynamic routing protocol and add route costs to the link you call secondary.
Regards,
01-29-2018 07:40 AM
But what the 2 default routes?
with 1 VR you cant use 2 default routes unless you use path monitoring for the 0.0.0.0/0 routes?
01-29-2018 07:45 AM
Hello,
There would only be one default route in the VR, e.g. the backup path. The PBF would be the primary route with a monitor and a disable option. Since PBF takes effect before the routing table, unless the PBF is down, the default route will not be used.
Hope that makes sense.
01-29-2018 07:47 AM
Ah ok but then you run into this issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
