Tunnel Monitoring

jhussain1 — Wed, 17 Dec 2025 17:04:51 GMT

Hello Team,

I have two ISP for site A and site B. we have configured tunnel.1,2,3,4. for all the tunnels i configured tunnel monitoring for failover.

My primary tunnel is up and working fine. However, all the backup tunnels are down the tunnel status are showing red.

anyone tell me is this expected?

Re: Tunnel Monitoring

S.Cantwell — Wed, 17 Dec 2025 19:31:12 GMT

Why the “backup” tunnels can show RED/DOWN while the primary is working

On Palo Alto Networks firewalls, the IPSec tunnel interface status can be driven by tunnel monitoring, not just by whether IKE/IPSec SAs exist.

Red/DOWN can mean: tunnel monitor is enabled and the monitoring IP is unreachable, so PAN-OS brings the tunnel interface down (especially when the monitor profile action is Fail Over).
In a “primary/backup” design, if the routing prefers Tunnel.1, then the firewall may have no valid working path over Tunnel.2/3/4 to reach the monitor destination(s) you configured for those tunnels—so their monitors fail and they go red.

This is a common misconfiguration pattern: the monitor destination is reachable via the primary tunnel, but not reachable via each backup tunnel specifically.

Palo Alto can absolutely have multiple tunnels UP at the same time, but tunnel monitoring can intentionally force a tunnel interface DOWN if its monitor destination is not reachable (by design, to remove routes and trigger failover).

What to validate (most common causes)

Monitor destination per tunnel

Each tunnel should monitor an IP that is reachable only via that tunnel (typical: the remote tunnel interface IP when using route-based VPN).
If the monitored IP is “behind” the far side, make sure it’s actually reachable through that specific tunnel during steady state.

Ensure the monitor traffic is forced over the intended tunnel

The monitor probe follows forwarding; if the “best” route to the monitor destination points at Tunnel.1, then Tunnel.2’s monitor will fail.
Fix by using a monitor destination that is topologically tied to that tunnel (again: remote tunnel interface IP is the usual approach for route-based).

Policy-based VPN / Proxy-IDs

If any of these are policy-based, ensure the monitor destination IPs are covered by Proxy-ID/traffic selectors, otherwise the monitor pings may never match the IPsec SA and will fail. (PAN-OS tunnel monitoring guidance calls out proxy-ID considerations in failover designs.)

Useful verification commands (to include in your response)

From the firewall CLI, check whether it’s the monitor driving the red status:

show vpn flow (PANW KB explicitly references using this to interpret monitor/tunnel status issues).
Also review System logs for tunnel monitor events (look for tunnel-status-down / monitor failures).

“Red/DOWN on the backup tunnels is expected if tunnel monitoring is configured and the monitoring IP for those tunnels is not reachable via each tunnel. In PAN-OS, tunnel monitoring can intentionally bring a tunnel interface down (especially with Fail Over action) to withdraw routes and enable failover. We should adjust the monitor destination (typically remote tunnel interface IP) and/or routing/traffic-selectors so each tunnel’s monitor probe is reachable over that specific tunnel.”

topic Tunnel Monitoring in Next-Generation Firewall Discussions

Tunnel Monitoring

Re: Tunnel Monitoring

Why the “backup” tunnels can show RED/DOWN while the primary is working

What to validate (most common causes)

Useful verification commands (to include in your response)