Paloalto firewall Configure dual ISP dual site-to-site IPSec VPN tunnel failover

From Notes_Wiki
Revision as of 03:11, 8 May 2023 by Saurabh (talk | contribs) (Created page with "Home > Enterprise security devices or applications > Paloalto firewall > Configure dual ISP dual site-to-site IPSec VPN tunnel failover It is possible to have two site-to-site tunnels between two locations with matching proxy-IDs (Subnets). In this case the goal is to failover to second tunnel, if first IPSec tunnel is down due to ISP issue at either end. To conf...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > Enterprise security devices or applications > Paloalto firewall > Configure dual ISP dual site-to-site IPSec VPN tunnel failover

It is possible to have two site-to-site tunnels between two locations with matching proxy-IDs (Subnets). In this case the goal is to failover to second tunnel, if first IPSec tunnel is down due to ISP issue at either end. To configure this failover using palo-alto firewall use:

  1. Configure L3 interface IPs for both the tunnel end-points at both ends using Network -> Interface -> Tunnel.
    This can be any unused IPs in /30 or larger subnets which are unused at both sites
  2. To failover we can configure "Failover using Tunnel Monitoring". However, In case of "Failover using Tunnel Monitoring", by default PA firewall will forward Ping packets to monitored Destination IP over all the Phase 2 tunnels if multiple proxy-ids are configured. This will cause the Tunnel monitoring to fail if the Peer side is unable to send back the replies on all the Phase 2 Tunnels. To make sure the Tunnel Monitoring traffic is only sent over the Proxy-ID which covers its IPs, refer [for VPN Between Palo Alto Networks Firewalls and other device using specific proxy-id]
  3. Other option is to avoid using "Failover using Tunnel Monitoring" and use "Failover using Static Route Path monitoring". In this case under all static routes configured for the destinations networks add path monitoring to ping to L3 interface IP for the other end-tunnel device. eg if we have configured one end with IP 10.10.10.1 and other with 10.10.10.2 we can enable path monitoring for 10.10.10.2 in all static routes for other side. This way the routes will not have effect if 10.10.10.2 is not reachable (When IP sec tunnel is down).


Refer:

Home > Enterprise security devices or applications > Paloalto firewall > Configure dual ISP dual site-to-site IPSec VPN tunnel failover

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Paloalto_firewall_Configure_dual_ISP_dual_site-to-site_IPSec_VPN_tunnel_failover&oldid=7835"