This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PanOS6 - Redundant VPN Tunnels

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PanOS6 - Redundant VPN Tunnels

Go to solution
gafrol
L4 Transporter

‎07-28-2015 09:11 AM

Hi all,

I cannot find an easy solution to this problem of having an automatic failover once the primary VPN tunnel goes down. Goal is to have both Tunnels up and runnig at the same time, once the primary VPN tunnel dies it will automatically use the other remaining backup tunnel. Remote Peer IP (195.186.255.x) stays the same for both tunnels. Currently the VPN is up and running through the Primary VPN Path only.

Any ideas ? Thanks

Bildschirmfoto 2015-07-28 um 14.34.41.png

Currently there is one VR with a static route to 195.186.255.x via SC Router 1. The LAN behind VPN EP Cisco is routed into Tunnel.1 interface.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
santonic
L6 Presenter

‎07-29-2015 03:29 AM

Fail-over tunnel monitoring profile on both tunnels, 2 static routes with different metric for network behind VPN, each directing into one tunnel interface.

View solution in original post

5 REPLIES 5

Go to solution
pankaku
L5 Sessionator

‎07-28-2015 09:38 AM

Please refer to following document

How to Configure a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover

0 Likes Likes

Go to solution
santonic
L6 Presenter

‎07-29-2015 03:29 AM

Fail-over tunnel monitoring profile on both tunnels, 2 static routes with different metric for network behind VPN, each directing into one tunnel interface.

Go to solution
gafrol
L4 Transporter
In response to santonic

‎07-29-2015 05:03 AM

Still does not solve the Tunnel remote Peer IP Problem. Cannot have multipath routes to same remote peer IP at the same time, except for PanOS7 and ECMP.

I guess we need to have a second remote Peer IP Address in order to have both tunnels up at the same time.

0 Likes Likes

Go to solution
santonic
L6 Presenter
In response to gafrol

‎07-29-2015 05:34 AM

Ahh, thought you already have both tunnels up. I usually do such scenario with 3 VRs, one for each ISP or external interface (so you can have multiple default routes) and one VR for local interfaces including tunnel interfaces. Then you can have both tunnels up all the time.

Go to solution
gafrol
L4 Transporter
In response to santonic

‎07-29-2015 05:43 AM

Interesting approach thank you. I will give it a try.

0 Likes Likes
  • 1 accepted solution
  • 6482 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks