This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PBR on 5.0 with redundant internet connections questions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PBR on 5.0 with redundant internet connections questions

JColby
Not applicable

‎02-06-2013 09:21 AM

Hello All,

New to Palo Alto.  I think PBR is working right.  But functionality is not what I wanted to happen.

I have Cisco DMVPN from all my remote sites to my corporate site.  This tunnel is created inside of the firewall.

my desired affect is to have 2 ISPs.  When the primary fails it dynamically fails over to the secondary internet.  Then when the primary comes recovers from the outage dynamically fail back to the primary ISP.  So VPN and web browsing would not be impacted.

Currently I have PBR set up so the default route is to the secondary ISP.  I have a PBR pointing at the primary watching an IP on the internet.  The NAT is set up accordingly.

What I am seeing.

When the Primary ISP fails.  It dynamically switches to the secondary internet.  What the 5 minutes for the DPDs.  Then all services are up and functional on the secondary link.

When the Primary ISP recovers they new sessions ride the primary ISP path.  Because the VPN is up it does not build a new session on the primary path.  I have to manually delete the session that the VPN tunnel has on the secondary interface.  Then the tunnel is on the primary interface.

Not what I want to happen.

Any feedback.

0 Likes Likes
1 REPLY 1

jvalentine
L7 Applicator

‎02-26-2013 01:31 PM

JColby:

Take a look at this document:

It will take a little time to wrap your head around, but it works quite well.  I set something like this up in the lab not too long ago and it worked like a charm.  Essentially, you'll have 2 VPN tunnels leaving your dual-ISP site, one through each ISP.  This involves configuring a 2nd virtual router, and then policy-forwarding one of the VPN tunnels through the 2nd ISP.  At that point, you should be able to configure a pair of overlapping/redundant routes that point at the VPN tunnels as their next-hop.  Using routing metrics you can influence which tunnels are preferred.

Hope that helps. 

  • 1827 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks