>
    Mobile User and Remote Network Routing to Service Connections
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Advanced Deployments
    5. Prisma Access Service Connection Advanced Deployments
    6. Routing for Service Connection Traffic
    7. Mobile User and Remote Network Routing to Service Connections
    Download PDF

    Mobile User and Remote Network Routing to Service Connections

    Table of Contents

    Mobile User and Remote Network Routing to Service Connections

    Learn how mobile user and remote network routing works from Prisma Access service connections.
    It is useful to understand how Prisma Access routes traffic between mobile users, remote networks, and service connections, because the routing used by mobile user traffic and remote network traffic between service connections is different.
    Mobile User-service connection routing—The mobile user connection forms an IPSec tunnel with the nearest service connection. Prisma Access uses iBGP for internal routing and eBGP to peer with the customer premises equipment at the data center. The following diagram shows mobile users in Regions 1 and 2 being routed to the respective service connections in that region. Mobile users in Region 1 are accessing applications A and B located at Data Center 1. If your organization’s network uses BGP routing for their service connections and a service connection experiences an ISP failure at Data Center 1, Prisma Access detects the failure and routes the traffic for applications A and B to Data Center 2 after BGP convergence, providing redundancy to your network’s data centers.
    Prisma Access uses the following timing with BGP when it detects a failure: If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer determines the amount of time that the tunnel is down before removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait time before Prisma Access removes a route for an inactive SPI. If the peer BGP device has a shorter configured hold time, the BGP hold timer uses the lower value. When the secondary tunnel is successfully installed, the secondary route takes precedence until the primary tunnel comes back up. If the primary and secondary are both up, the primary route takes priority.
    Remote Network-service connection routing—Prisma Access creates a full mesh network with other remote networks and service connections. As with mobile users, Prisma Access uses iBGP for its internal routing and eBGP to peer with customer premises equipment to exchange routes. If a user in Branch 1 is accessing application A from Data Center 1 in your organization’s data center and the link between Branch 1 and Data Center 1 goes down, Prisma Access routes the traffic for application A to Data Center 2 after BGP convergence.

    © 2025 Palo Alto Networks, Inc. All rights reserved.