08-28-2011 08:09 AM
We have a branch in a different state to which we have a DS3 MPLS circuit. We and our branch office have there own ISP connections for Internet access. I would like to have redundancy build between both of our companies through IPSec VPN tunnel in the event of DS3 goes down. So my question is can I use PBF's to achieve the redundancy. Is PBF capable of monitoring the next hop link and failover to the next PBF's. Can any one suggest me which path should I take to achieve the auto failover of my DS3 to IPsec VPN tunnel.
12-08-2011 09:33 AM
IF the IPSEC tunnel is the backup and the MPLS link is the preferred route, then do the folloing.
1) Set the routing table to choose the tunnel as the best route.
2) Configure a PBF rule that sends traffic out the MPLS link
-- The PBF needs to monitor the next hop or a device along the MPLS path
-- You can not use PBF to redirect traffic that originates/terminates on the Paloalto
For example:
If your IPSEC tunnel uses eth1 as an endpoint and exits eth1 to build that tunnel, PBF can not be useto redirect the eth1 IPSEC out eth2 instead.
Steve Krall
05-15-2013 01:09 AM
I am looking for this exact configuration. Were you able to get it working as expected using PBF?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
