VPN failover with Dual ISP with single VR & single Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN failover with Dual ISP with single VR & single Firewall

L2 Linker

Hi,

       Below link explains about vpn failover with dual isp and dual vr, but cant I use same VR.

       https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

Why its mandtory to use two VR.

 

with regards,

Ram

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @RamBalaji

 

dual VR is optimal so you have 2 default routes so each IPSEC connection has a unique route out (else yuou can only have 1 default gateway and both tunnels would go out of the same interface)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Hi @RamBalaji

 

dual VR is optimal so you have 2 default routes so each IPSEC connection has a unique route out (else yuou can only have 1 default gateway and both tunnels would go out of the same interface)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Can you please explain in detail i couldn't understand..

 

with regards,

Ram

for you to be able to make an outbound ipsec connection ,you need to initiate a connection from you rsystem out to the internet

for your packets to reach their final destination ,a route lookup needs to occur an d a routing decission to which interface your packets should egrtess out of

 

If you only have 1 VR, only 1 default route can be active so both your tunnels will egress out of the same interface

 

If you are able to add host routes you could try to point each tunnel's destination IP out of a different interface, this could allow for a single VR setup.

 

If you are not able to add a host route (if your ISP assigns you a dynamic IP for example) you will need to rely on the default route. In this case, you will need an additional VR so each ISP can have it's own default route and each tunnel will only be active on the VR with the preferred ISP's default route

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

What if I did it this way?
1 VR, First peer public IP reached via default route via ISP1. Second peer public IP reached via /32 static route pointing to ISP2.

That should work

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

Yes this can work. I have set it up multiple times over the years. Then I either use a Policy Based Forwarding rule or OSPF weights to determine which path I want to use as primary and secondary, etc.

 

Regards,

How about if i did it this way,  

1 VR, First peer public IP reached via default route via isp1, Same Peer Public IP reached via PBF Pointing to ISP2 ( Condition of Source Address for Tunnel  and Destination of same Peer IP )

L0 Member

to confirm this is not possible with single VR going to same public IP?

 

I have VPN 1 - going through unique public IP to branch public IP

I have VPN 2 - going through unique public IP to same branch public IP

 

This is the same VR. To confirm this is not possible? I tried to move to dual VR but i caused a ton of routing issues and I had to revert. Will try dual VR set up again if its the only way possible. 

  • 1 accepted solution
  • 7814 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!