Redundancy VPN between two sites with two ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Redundancy VPN between two sites with two ISP

L4 Transporter

HELLO ALL

We have two PA devices.(850 and 500).They are located in different sites.Both firewalls have two connections to Internet via 2 different ISPs

We want to make Site to Site VPN between these sites.But make it redundant.Two VPN connections between sites through different ISPs

I can not find any manual how one can configure this schema

Please post some guide if you know

Thanks

5 REPLIES 5

L2 Linker

Hi @Radmin_85

 

Here's a guide we used on our site-to-site VPN with two ISP. I just followed the guide step by step. Hope this helps you!

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

Hi @theonewhoknocks 
I think @Radmin_85 needs an instruction for dual ISP at "both" site, just like below topology. 

aaa.JPG

I am looking for the same solution. We are using hub-spoke site-to-site VPN topology and both hub (HQ) and spoke (branch) have dual ISPs. The URL you shared seems could not be applied to dual ISP at both sites situation. Is there any other advice you could share?

Cyber Elite
Cyber Elite

Hello,

Here is something I have done in the past and works well. This will utilize one tunnel until there is a failure then fail over.

  • Using @YifengLiu diagram above:
    • setup the external ethernet interfaces for their respective ISP's
    • Make sure your policies allow the traffic
    • build first tunnel BLR-PAN eth 1/1 to AZ-PAN eth 1/1. Setup an IP address for each tunnel interface (makes troubleshooting easier)
      • Verify traffic can flow
    • Setup OSPF between the two PAN's
      • Verify adjacency
      • verify route propagation
    • Build the rest of the 3 VPN Tunnels:
      • BLR-PAN eth 1/2 to AZ-PAN eth 1/1
      • BLR-PAN eth 1/1 to AZ-PAN eth1/2
      • BLR-PAN eth 1/2 to AZ-PAN eth 1/2

Then use OSPF to regulate the priority of the tunnels if you are getting asymetric traffic issues.

  • i.e.
    • BLR-PAN eth1/1 to AZ-PAN eth 1/1 normal Metric
    • BLR-PAN eth 1/1 to AZ-PAN eth 1/2 metric 5000
    • BLR-PAN eth 1/2 to AZ-PAN eth 1/2 metric 10000
    • BLR-PAN eth 1/2 to AZ-PAN eth 1/1 metric 15000 

This is highly simplified but should work if one of the ISP's goes down, OSPF will reroute automatically. You can use Policy Based Forwarding for the static routes between the VPN IP's and they can disable as required.

 

Hope that makes sense.

 

Regards,

 

Thank you, @OtakarKlier . I will need some time to verify your suggestion because currently I am using 2VRs with PBF by following this article, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK. Due to it's production devices, I will not be able to test it in a short time, but your advice seems work. I just need find a time to figure out the detail configuration. 

Cyber Elite
Cyber Elite

Hello,

Yeah I was never a huge fan of the 2 VR solution. The method I described only requires 1 VR.

 

Cheers!

  • 4119 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!