VPN failover with Dual ISP with single VR & single Firewall

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

VPN failover with Dual ISP with single VR & single Firewall

Hi,

       Below link explains about vpn failover with dual isp and dual vr, but cant I use same VR.

       https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

Why its mandtory to use two VR.

 

with regards,

Ram


Accepted Solutions
Highlighted
L7 Applicator

Hi @RamBalaji

 

dual VR is optimal so you have 2 default routes so each IPSEC connection has a unique route out (else yuou can only have 1 default gateway and both tunnels would go out of the same interface)

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

Hi @RamBalaji

 

dual VR is optimal so you have 2 default routes so each IPSEC connection has a unique route out (else yuou can only have 1 default gateway and both tunnels would go out of the same interface)

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L2 Linker

Can you please explain in detail i couldn't understand..

 

with regards,

Ram

Highlighted
L7 Applicator

for you to be able to make an outbound ipsec connection ,you need to initiate a connection from you rsystem out to the internet

for your packets to reach their final destination ,a route lookup needs to occur an d a routing decission to which interface your packets should egrtess out of

 

If you only have 1 VR, only 1 default route can be active so both your tunnels will egress out of the same interface

 

If you are able to add host routes you could try to point each tunnel's destination IP out of a different interface, this could allow for a single VR setup.

 

If you are not able to add a host route (if your ISP assigns you a dynamic IP for example) you will need to rely on the default route. In this case, you will need an additional VR so each ISP can have it's own default route and each tunnel will only be active on the VR with the preferred ISP's default route

 

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L3 Networker

What if I did it this way?
1 VR, First peer public IP reached via default route via ISP1. Second peer public IP reached via /32 static route pointing to ISP2.

Highlighted
L7 Applicator

That should work

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
Cyber Elite

Hello,

Yes this can work. I have set it up multiple times over the years. Then I either use a Policy Based Forwarding rule or OSPF weights to determine which path I want to use as primary and secondary, etc.

 

Regards,

Highlighted
L1 Bithead

How about if i did it this way,  

1 VR, First peer public IP reached via default route via isp1, Same Peer Public IP reached via PBF Pointing to ISP2 ( Condition of Source Address for Tunnel  and Destination of same Peer IP )

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!