Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels.
Good afternoon, as always, thanks for the collaboration and support.
A few doubts, We currently have an PA configured with ECMP, for outbound to the Internet, with two different ISPs. We plan to configure a Site to Site VPN, with each of the ISP.
Here are the doubts, so that you can give me your opinions and suggestions:
Doubt 1: Will I have any problem when I configure the two IPSEC tunnels, with the dual ISPs ( With ECMP previously enabled ), with the IKE/ESP type traffic ? will it generate any conflict or problem with the stability of each IPSEC Tunnel ? The PA will not have problems with this type of traffic, from its Interfaces, with their respective public IPs, with their respective ISPs and Peers?
Doubt 2: If I configure, already thinking and focused on the routes, with the tunnel interfaces that are used to declare the routes of each ISP, to reach the same destination, is it feasible to use ECMP for the tunnel interfaces ( tunnel.20 and tunnel.21 ) ? to send the traffic in a balanced way ?
Doubt 3: Thinking about a Dual Fail Over scenario, not balancing, but fail over, which is better? To use routes with Path Monitoring ( At route level, in the Virtual Router VR, not at HA level ) and so in case of failure the other route becomes valid in the FIB ? Or use PBF ? If I use PBF, I am forced that the Tunnels have IP in each end to be able to monitor the other peer, right? because for example, for the case of Path Monitoring, using an IP of the range and that this allowed in the encryption domain is enough for me to sense the IP at the level of Path Monitoring Route, but with PBF, I am forced that the other end also has an IP in its tunnel interface. What is the recommendation or the best way ?
I am not talking about Dual fail over type, that one responds and in case of failure, the other responds, but an ECMP type balancing for vpn ipsec site to site traffic. This is for Doubt 2.
Thank you very much for your time, I remain attentive to your comments.