05-22-2018 02:44 AM
We have two PA devices.(850 and 500).They are located in different sites.Both firewalls have two connections to Internet via 2 different ISPs
We want to make Site to Site VPN between these sites.But make it redundant.Two VPN connections between sites through different ISPs
I can not find any manual how one can configure this schema
Please post some guide if you know
05-22-2018 11:53 PM
Here's a guide we used on our site-to-site VPN with two ISP. I just followed the guide step by step. Hope this helps you!
07-06-2021 03:57 PM
I think @Radmin_85 needs an instruction for dual ISP at "both" site, just like below topology.
I am looking for the same solution. We are using hub-spoke site-to-site VPN topology and both hub (HQ) and spoke (branch) have dual ISPs. The URL you shared seems could not be applied to dual ISP at both sites situation. Is there any other advice you could share?
07-07-2021 09:33 AM
Here is something I have done in the past and works well. This will utilize one tunnel until there is a failure then fail over.
Then use OSPF to regulate the priority of the tunnels if you are getting asymetric traffic issues.
This is highly simplified but should work if one of the ISP's goes down, OSPF will reroute automatically. You can use Policy Based Forwarding for the static routes between the VPN IP's and they can disable as required.
Hope that makes sense.
07-07-2021 01:52 PM
Thank you, @OtakarKlier . I will need some time to verify your suggestion because currently I am using 2VRs with PBF by following this article, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK. Due to it's production devices, I will not be able to test it in a short time, but your advice seems work. I just need find a time to figure out the detail configuration.
07-07-2021 02:23 PM
Yeah I was never a huge fan of the 2 VR solution. The method I described only requires 1 VR.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!