- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-21-2019 12:37 AM
Hi Team,
I am just wondering on how to made Dual IPSec VPN Tunnel UP at the same time with redundant ISP link after mapping each ISP in different VR.
We have configured dual VR. In that, Primary ISP port is mapped in Primary VR and Secondary ISP port is mapped in Secondary VR.
Due to this above scenario, in order to made the Phase1 UP for the Secondary IPSec Tunnel is not happening because we have given Default route forwarding to the Primary ISP in the Primary VR.
So all the traffic is getting established via the Primary ISP. And then i have tried creating PBF policy for traffic sourcing from Trusted interface to Tunnel N/Ws to forward on the Secondary IPSec Tunnel Interface. However, still the Phase1 of the Secondary Tunnel is not coming UP.
Is there are any option to have this requirement accompolished. I am eagerly waiting for your inputs on the same. Thanks in advance !!
Best Regards,
Sahul Hameed
06-24-2019 08:21 AM
Hello,
While you dont need the dual-VR's, to get the tunnel up that doesnt have traffic flowing over it use the CLI test command.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
Hope that helps.
06-24-2019 02:00 PM
Well. based on the picture you uploaded, you seem to be familiar with the proper document that discusses Dual VPN with failover.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
I have set this up 2x with customers and used the above document as my bible.
Steve
06-24-2019 02:38 PM
While IP addresses on the tunnel interfaces isn't a requirement, in your case it would be recommended. Then you can enable tunnel monitoring as they cover in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK shared by SteveCantwell. This along with Dead Peer Detection are good ways to keep the tunnel up and operational.
Another method is to use an IP address on the far end VPN device in a /32 or /30 etc that can be in a route specific to that tunnel. Either use a dynamic routing protocol for the constant neighbor traffic or a static route and a monitoring device that would send an ICMP to the far end of that VPN tunnel device keeping "interresting" traffic going over the tunnel.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!