Dual ISPs in Active-Active Mode

Learn how to support dual ISPs in an active-active configuration at a GlobalProtect cloud service remote network location.
By default, the GlobalProtect cloud service for remote networks provides support for two ISP links, which operate in active-passive mode. That is, if the primary ISP link goes down, the GlobalProtect cloud service detects the outage and establishes a tunnel to the remote network location over the secondary WAN link. However, in some environments, it is necessary to have both ISP links actively passing traffic from the remote network location through the GlobalProtect cloud service simultaneously. For example, if you have one fast ISP link and a slower ISP link, you may want to designate which traffic goes over which link based on subnet or application.
To enable this use case, you must onboard two remote networks instances with the GlobalProtect cloud service. You must onboard each remote network instance at the same remote network location to a different region. In this case, you would configure the first ISP as the primary WAN link on the first instance and the second ISP as the primary WAN link on the second instance, with no secondary WAN link configured for either remote network location instance. You will then add all of the subnets at the site to both instances. For example, if the remote network has subnet1 and subnet2, you would onboard both remote networks instances to include both subnets. Because both IPSec tunnels will carry traffic for both subnet1 and subnet2, the following limitations apply to this configuration.
  • There is no inbound remote network-to-remote network traffic because the other remote network locations would not know how to route traffic to the site because both tunnels carry traffic for the same subnets. However, users and services at this site could access resources at other remote network locations provided there are no overlapping subnets at the site.
  • Traffic from your HQ sites can not access resources at the remote network location with the dual ISP configuration because it would not know how to route traffic to it. The remote network site can, however, access resources at your HQ sites over either tunnel.
  • Mobile users cannot access resources at this remote network location, again because of the inbound routing limitations.
QC-ISP-active-active.png
To set up this configuration, follow the instructions to Configure the GlobalProtect Cloud Service for Remote Networks to onboard two separate remote network connections for the site. The details below show how you will deviate from the basic configuration in order to enable you to route traffic to the GlobalProtect cloud service using dual ISPs in an active-active mode:
  1. Onboard the first remote network location instance using the first ISP as the primary WAN link.
    • Select a Region that is geographically close to the remote network location.
    • Configure the primary IPSec Tunnel to terminate at the IP address associated with your first ISP.
    • Do not Enable Secondary WAN.
    • Set the Bandwidth as appropriate for the link speed available on ISP1, for example, 25 Mbps.
    qc-dual-isp-first-fw.png
  2. Onboard the second remote network location instance using the second ISP as the primary WAN link.
    • Select a different Region than you selected for the other ISP connection (but it should still be geographically close to the remote network location. For example, if you selected Northern California for the first connection, you might select Oregon for the second).
      You must select a different region because the subnets you onboard for the second ISP remote network instance overlap with the subnets you onboarded for the first ISP remote network instance. Although the GlobalProtect cloud service allows you to configure the two remote network instances with overlapping subnets in the same region, this configuration will fail when pushed to the GlobalProtect cloud service.
    • Configure the IPSec Tunnel to terminate at the IP address associated with your second ISP.
    • Do not Enable Secondary WAN.
    • Set the Bandwidth as appropriate for the link speed available on ISP2, for example, 10 Mbps.
    qc-dual-isp-second-fw.png
  3. Configure routing at your remote network location to route traffic over the appropriate ISP link.
    Depending on the type of firewall, switch, or SD-WAN device available at the remote network location, you can route traffic based on application or subnet. For example, you might want to route all guest Wi-Fi traffic over one ISP and all other traffic over the other ISP. Or, you might want to send all web traffic over one ISP and all other traffic over the other ISP link.

Related Documentation