This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP disconnects in a set up with two ISPs when the primary link is down and users try to connect using the secondary link

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP disconnects in a set up with two ISPs when the primary link is down and users try to connect using the secondary link

FabioPiluso
L1 Bithead

‎05-09-2022 06:58 AM

Good morning,

in production we have a pair of PA-440 in HA (10.1.5). The firewalls have been configured with double VR as described in this article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

The firewalls are connected to two Internet links with two different Providers.

We have therefore configured two Portals and two Gateways in order to have two independent VPN connections that can be used simultaneously or when for example one of the ISPs is down.

We are experiencing the following problem:


if both internet links are up, then the two VPNs with GP are working fine.

If instead the primary link is down, then the VPN with the secondary link does not work, more precisely the authentication with the Portal is successful, but then the connection to the Gateway does not work.

We found the exact same behavior also on a PA-820 unit (10.1.4) configured in the same way with double VR and double ISP.

 

In the GP logs we have "gateway-switch-to-ssl" and on GP client we have the error "Failed to verify the certificate" regardless if the auth profile is username/password or client certificates.

 

Could you kindly help us figure out what is not configured correctly?

 

Thank you very much

 

GlobalProtect 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
0 Likes Likes
2 REPLIES 2

OtakarKlier
Cyber Elite
Cyber Elite

‎05-09-2022 10:27 AM

Hello,

That article is not for Global Protect but for site to site tunnels. I accomplish the same thing without using two VR's but I use OSPF and weighted metrics instead. I think for Global Protect, you would need to utilize something like multiple Gaterways:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU8CAK

 

Regards,

0 Likes Likes

FabioPiluso
L1 Bithead

‎05-09-2022 11:41 PM

Hi,

 

yes I read that article and my set up is as the second picture

0 Likes Likes
  • 1561 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks