in production we have a pair of PA-440 in HA (10.1.5). The firewalls have been configured with double VR as described in this article:
The firewalls are connected to two Internet links with two different Providers.
We have therefore configured two Portals and two Gateways in order to have two independent VPN connections that can be used simultaneously or when for example one of the ISPs is down.
We are experiencing the following problem:
if both internet links are up, then the two VPNs with GP are working fine.
If instead the primary link is down, then the VPN with the secondary link does not work, more precisely the authentication with the Portal is successful, but then the connection to the Gateway does not work.
We found the exact same behavior also on a PA-820 unit (10.1.4) configured in the same way with double VR and double ISP.
In the GP logs we have "gateway-switch-to-ssl" and on GP client we have the error "Failed to verify the certificate" regardless if the auth profile is username/password or client certificates.
Could you kindly help us figure out what is not configured correctly?
Thank you very much
That article is not for Global Protect but for site to site tunnels. I accomplish the same thing without using two VR's but I use OSPF and weighted metrics instead. I think for Global Protect, you would need to utilize something like multiple Gaterways:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!