The client has two ISP, AT&T and Comcast. They would like to configure fialover site to site VPN connecting to AWS. This article will show you how to configure dual IPSec VPN failover using Tunnel Monitoring on Paloalto Firewall.
The configuration is based on this topology.
1. Make sure you have Tunnels configured. Please refer another video for IPSec Tunnel Configuration.
* Login Paloalto
firewall and go to Network
> Interface > Tunnel
* Network > IPSec Tunnels
2. There are two ways to do VPN tunnel traffic automatic failover:
1) Failover using Tunnel Monitoring – is used to make sure the VPN tunnel is passing traffic. If the primary VPN tunnel (1) in our example) goes down or if there are traffic issues over the VPN, the tunnel monitoring will detect it and will bring the primary tunnel interface down. Thus the route through the Primary tunnel interface tunnel 1 will be removed from the Forwarding table and the route through the Secondary Tunnel interface tunnel 100 will take over.
* To configure a Monitoring Profile.
Network > Network Profiles > Monitor > Add
Make sure “Fail Over” Option is selected.
* To enable Tunnel Monitor on the IPSec Tunnels
Network > IPSec Tunnels > Primary-Tunnel (1), make sure Enable is checked for Tunnel Monitor.
Configure the destination IP to be monitored and select the configured Monitor Profile “tunnelMonitor”. Note: if you don’t see Tunnel Monitor, click on “Show Advanced Options”.
Repeat above to configure the destination IP to be monitored and select the configured Monitor Profile “tunnelMonitor“ on Secondary Tunnel 100.
Note : For Tunnel monitoring to
work the Tunnel Interface will have to be configured with an IP
address.
Once the Primary Tunnel monitoring on the Primary tunnel fails, the tunnel
interface status is forced to Down.
Network > IPSec Tunnels.
Once the Traffic through the Primary Tunnel recovers, the tunnel monitoring will come up and the route through tunnel.1 will be installed in the Forwarding table.
Once the Tunnel monitor is goes DOWN or UP the below logs can be seen under System logsMonitor > Logs > System
2) For configuring Failover using Static Route Path monitoring, please view another article.
Please view this step by step video:
