VPN FAILOVER

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN FAILOVER

L4 Transporter

there are two offices.branch and head.in head office there is palo alto networks NGFW and in branch office it is Kerio Control.in each office there are 2 connections two different ISPs.

Is it possible to make VPN tunnel failover between these offices by kerio control in one side and palo alto networks in orher?image002 (1).png

10 REPLIES 10

L2 Linker

Yes.

Cyber Elite
Cyber Elite

@Radmin_85,

Were you looking for the details on how you would accomplish this or did you simply want to verify the PA could do this function? 

i want to know whether PA can do this function in conjuction with Kerio control?

@Radmin_85,

I can't speak on the Kerio Control side as I don't know anything about them, but the PA can handle this perfectly fine and won't give you any issues once properly configured. 

can you give me some detailed technical info or source from PA side?

On PA the general feature for VPN failover is Tunnel Monitoring.  This is described here.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dead-Peer-Detection-and-Tunnel-Monitorin...

 

A fuller example of implementing VPN failover between two ISP is in this configuration example.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

it didnt work.we tried this issue.

we have to create two vpn tunnels between kerio and PA. One tunnel we can do but other one doesnt go up.there is no info in logs.tunnel just doesnt go up

You will need the logs from the responder for the reasons.

 

They are using different gateways right?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

yes both offices use different gateways.i mean they both have two separate connection to two  different ISPs.you mean logs from Kerio side?

If you don't have logs for the vpn I am assuming the PA is the initiator.  The best failure logs are on the responder side of the VPN negociation.  

 

If you don't have access to that side logs, you can enable the cli option for more logs.

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 4428 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!