A number of Site-to-Site IPSec VPN between Palo Alto Networks firewall (HQ) and remote sites are experiencing slowness, low throughput and FTP transfer issues. The symptom started to appear after a Palo Alto Networks firewall replaced several VPN devices at the HQ site.
The issues may be due to asymmetric routing for the VPN tunnels caused by the multiple ISPs. If the default route was configured to only one ISP, the other links would be underutilized while the main line became overutilized. The problem would not be present before deployment of the Palo Alto Networks firewall if each VPN tunnel was terminated on a different VPN device at HQ.
Configure the VPN tunnels on the Palo Alto Networks firewall to route VPN traffic to the interface or ISP that is receiving the VPN traffic. This will avoid the asymmetric routing and balance the bandwidth utilization on the multiple ISP links.
To further illustrate the solution, see the example below. Interfaces E1/1 , E1/2 and E1/3 are all ISP facing interfaces, all under same Virtual Router. Therefore with this setup only one ISP can be configured as a default route.
Two VPN tunnels are sourcing from E1/1 and E/12.
Static routing configuration below shows E1/3 was chosen to be the main default route, E1/1 as secondary and E1/2 as third.
To make sure that VPN tunnel traffic will not exit the main default route to E1/3, a static host route to the peer VPN tunnels were configured.
Go to Network > Virtual Router > Default (or VR of choice) > More Runtime Stats
This ensures symmetric routing for the VPN tunnels and proper load sharing of ISP bandwidth.