PanOS6 - Redundant VPN Tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PanOS6 - Redundant VPN Tunnels

L4 Transporter

Hi all,

I cannot find an easy solution to this problem of having an automatic failover once the primary VPN tunnel goes down. Goal is to have both Tunnels up and runnig at the same time, once the primary VPN tunnel dies it will automatically use the other remaining backup tunnel. Remote Peer IP (195.186.255.x) stays the same for both tunnels. Currently the VPN is up and running through the Primary VPN Path only.

Any ideas ? Thanks

Bildschirmfoto 2015-07-28 um 14.34.41.png

Currently there is one VR with a static route to 195.186.255.x via SC Router 1. The LAN behind VPN EP Cisco is routed into Tunnel.1 interface.

1 accepted solution

Accepted Solutions

L6 Presenter

Fail-over tunnel monitoring profile on both tunnels, 2 static routes with different metric for network behind VPN, each directing into one tunnel interface.

View solution in original post

5 REPLIES 5

L5 Sessionator

L6 Presenter

Fail-over tunnel monitoring profile on both tunnels, 2 static routes with different metric for network behind VPN, each directing into one tunnel interface.

Still does not solve the Tunnel remote Peer IP Problem. Cannot have multipath routes to same remote peer IP at the same time, except for PanOS7 and ECMP.

I guess we need to have a second remote Peer IP Address in order to have both tunnels up at the same time.

Ahh, thought you already have both tunnels up. I usually do such scenario with 3 VRs, one for each ISP or external interface (so you can have multiple default routes) and one VR for local interfaces including tunnel interfaces. Then you can have both tunnels up all the time.

Interesting approach thank you. I will give it a try.

  • 1 accepted solution
  • 5927 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!