Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-28-2018 11:54 AM - edited 01-28-2018 02:55 PM
Hello Everyone
I know there is a fair amount of information on this topic but I have a few issues/questions
I have a PA220 with PANOS 8,0,7. My questions are relating to dual ISP connectivity. I would like to setup my PA with a backup ISP connection. I do have IPsec tunnels. But I am allowing for the second tunnel to negotiate when the backup ISP comes up. So both tunnels don't have to be "up and ready"
I have read the following article which is based on 2 VRs with PBFs to push traffic to the primary ISP with monitoring. When monitoring fails it will "failover" to use the second ISP
I have also read the following article which I believe is now available in PANOS 8. This configuration use 2 default routes. The first 1 will have a lower metric. Let's say 10 with monitoring enabled and the second default route has a higher metric let's say 50.
Basically can I achieve dual ISP with tunnels available on both untrusted ISP connections with the second article (default routes and path monitoring) Again I don't mind the short amount of time for tunnel negotiate. It's a branch office PA and I don't really want to configure 2 VRs.
Thank you, really appreciate any help on this
01-29-2018 07:57 AM
Hmm, I currently have a site that has one ISP but connects to two different data centers. I use the PBF to send all ptraffic down one tunnel and it works just fine. I also have a site that has 1 p2p connection and a VPN tunnel to the same data center and the PBF also seems to work just fine. I think the newer code fixed the behavior in the article you mentioned?
Perhaps @reaper can verify.
01-29-2018 08:40 AM
hi guys
please keep in mind the ipsec connection is a system sourced connection, so cannot be directed via pbf, but can via static routes, with or without separate VR depending on your needs (if the remote end has 2 ip's you won't need 2 VR necessarily because you can create 2 seperate identity ipsec connections)
the traffic you put on the tunnels is not system sourced so can be controlled by pbf
the 2 vr method is so you can create 2 'live' tunnels to the same endpoint, but as long as you can switch up parameters and add creative static routes, it is not mandatory
01-29-2018 08:42 AM
OK that makes more sense since my two tunnels are already up and connected. I do have static routes for the public IP endpoints of those tunnels and my PBF's only are for traffic behind the firewalls.
01-29-2018 09:37 AM
Hello Yeah that would be good if you could give it a test in your lab.....id like to know the out come.
01-29-2018 12:10 PM
Wouldn't I need 2 tunnels....as 1 is for the ISP 1 and the other is for ISP 2.
Thank you.....
01-29-2018 12:36 PM
Are both sides PAN's?
01-30-2018 03:49 PM - edited 01-30-2018 03:50 PM
@reaper hope your all good
Did you manage to setup the route path monitoring lab?
Do you think it's okay to monitor both default routes?
Also I have setup tunnel monitoring.....I read you can configure this even if the tunnel is to a NON PA Device. Is this recommend? Anyway to truly test that the configured tunnel monitoring is doing as its meant to do?
Side note would you path monitor the tunnel routes if the tunnel monitoring is working.
Another side note is there any issues with path monitoring any of my routes. As surely if the route fails path monitoring then it just gets remove from the RIB and FIB
Cheers
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
