- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-26-2022 01:40 AM - edited 07-26-2022 02:17 AM
Hello everyone,
I have a case, where we have configured two site-to-site VPN connections to our partner's primary and backup datacenters. Both tunnels are policy-based IPsec VPNs with Proxy-IDs configured and both use the same local/remote inner IP addresses. This is a single ISP/single virtual router environment.
For example this is a sample config of two Proxy-IDs in one tunnel:
Now exact same proxy ID configuration is present in second tunnel as well. My question is, how do we make tunnel1 preferred egress point for outgoing packet flow and how do we implement failover to tunnel2, in case tunnel1:proxyid sub-tunnels go down?
I can't use any routing solutions or tunnel monitor as it's a policy-based VPN. There are no routes regarding those remote networks and also tunnels have no IP addresses configured for themselves.
ADD: Maybe there is a mechanism in PAN-OS similar to reverse-route in IOS, that can inject routes based on proxy IDs? That could solve the problem with variable AD or metric per route injection.
10-24-2023 01:35 PM
I use path monitoring on our ISP connectivity but for the record I do NOT have path monitoring for our IPSEC tunnel connections just the tunnel monitors. In testing, it fails over w/o any trouble.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!