Basic S2S VPN configurations:
PA-2
1. Two tunnel interfaces, add them to VPN zone
2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways to PA-3 with different local ISP interfaces/IPs to the same peer IP.
3. Add two IPSec Tunnels with different gateways
4. Add two static routes with different Metric
PA-3
1. Two tunnel interfaces, add them to VPN zone
2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways those represent PA-2's two Internet links.
4. Add two static routes with different metric.
===============
VPN failover
1. DPD check peer liveness, when peer is down, however, FW doesn't remove the static route. Hence, DPD itself can't be used for VPN failover.
It takes about 5 minutes to tear down P1 and P2 SAs.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC
2. Tunnel Monitoring
FW sends ping to monitored destination IP. When monitor fails, tunnel will be down, remote LAN static route will be removed. But static route to remote peer is still active unless it is direct link failure.
Default route Path Monitor is required for indirect ISP failure.
Network > Network Profile > Monitor
If intrazone-default has allow action, no FW rule is required
When ISP1 is down
PA-2:
Related system logs:
3. Use Path Monitoring instead of Tunnel Monitoring
6 ping packets lost during VPN failover.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO
Comments
Post a Comment