Allow Direct Internet Access Traffic Failover To MPLS Link

Allow Direct Internet Access Traffic Failover To MPLS Link

14464
Created On 02/26/21 20:30 PM - Last Modified 02/05/25 22:12 PM


Symptom


After following the steps prescribed in the admin guide it is observed that internet traffic does not take the SDWAN tunnel over MPLS to the hub. Instead, after failover, internet traffic transits the MPLS circuit.

Environment


  • PAN-OS 9.1 and later releases.
  • Direct Access Internet and MPLS environments.
  • SDWAN deployment using Panorama.

Cause


  • Enabling VPN Data Tunnel Support is similar to split tunneling.
  • Both private traffic and internet traffic will be split.
  • In this case, applications with private IP addresses will take the tunnel while all other applications going to the internet will take the "clear text" portion of the SDWAN tunnel over MPLS.
  • In other words, internet traffic will not transit the tunnel. 
     

Resolution


  1. Uncheck VPN Data Tunnel Support on the interface profile from Panorama:
Network --> Interface Profile --> Name:

SDWAN interface profile
  1. Repeat this step for all applicable templates/sites.
  2. Commit

Additional Information


By disabling VPN Data Tunnel Support the tunnel interface associated with the MPLS interface is bound to the SDWAN.901 DIA VIF:

Network --> Interfaces --> SD-WAN

Interface binding

This allows applications destined to the internet transit the VPN tunnel over MPLS.

Monitor --> Traffic:

diisable data tunnel support

Note: Applications with private traffic will not take the tunnel but will use the MPLS circuit. The VPN Data Tunnel Support feature controls what type of traffic can take the tunnel.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Ue2CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language