New to Palo Alto. I think PBR is working right. But functionality is not what I wanted to happen.
I have Cisco DMVPN from all my remote sites to my corporate site. This tunnel is created inside of the firewall.
my desired affect is to have 2 ISPs. When the primary fails it dynamically fails over to the secondary internet. Then when the primary comes recovers from the outage dynamically fail back to the primary ISP. So VPN and web browsing would not be impacted.
Currently I have PBR set up so the default route is to the secondary ISP. I have a PBR pointing at the primary watching an IP on the internet. The NAT is set up accordingly.
What I am seeing.
When the Primary ISP fails. It dynamically switches to the secondary internet. What the 5 minutes for the DPDs. Then all services are up and functional on the secondary link.
When the Primary ISP recovers they new sessions ride the primary ISP path. Because the VPN is up it does not build a new session on the primary path. I have to manually delete the session that the VPN tunnel has on the secondary interface. Then the tunnel is on the primary interface.
Not what I want to happen.
Take a look at this document:
It will take a little time to wrap your head around, but it works quite well. I set something like this up in the lab not too long ago and it worked like a charm. Essentially, you'll have 2 VPN tunnels leaving your dual-ISP site, one through each ISP. This involves configuring a 2nd virtual router, and then policy-forwarding one of the VPN tunnels through the 2nd ISP. At that point, you should be able to configure a pair of overlapping/redundant routes that point at the VPN tunnels as their next-hop. Using routing metrics you can influence which tunnels are preferred.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!