Routing between Branches and DCs with 2 standard VPNs
5611
Created On 02/06/23 08:52 AM - Last Modified 06/14/23 11:17 AM
Symptom
Traffic is not balanced as customer expects when They have 2 standard VPN on each device for a DC site. Most possible complain is that most of the traffic is being handled by only one of the devices on the DC, instead of the 2 when they configure it as "active - active"
Environment
Cause
We dont support full routing between DCs and Branches. This means that even We have route manipulation on the DCs side towards a cloud enviroment (Azure for example) We are not going to propagate any "preference" o route manipulation to the branches. Therefore the branches will select based on quality which prisma sdwan VPN use to send the traffic to the DC, since both devices on the DC has the same routes injected by Azure the branches will be able to send the traffic to both devices on the DC site (But this election will be as I said based on quality, APP reachability, etc...)
Resolution
There are many solutions here, one of them would be send the half of the prefixes on the first device and the other half on the second one, therefore the branches will have to send the traffic towards one device for some prefixes and to the other device on the same site for the other prefixes. The issue here is that we lose redundancy if one of the IONs goes down