https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478898#M103817 <P>To make short a long story, I want to know if I can define a Secondary VPN that switches when the Remote Peer IP go down because the Customer want to avoid to monitor a resource inside the VPN.<BR />(Like on the ASA where we can simply set the secondary peer and it works without any other conf)</P> Thu, 07 Apr 2022 08:44:24 GMT ChristianBolelli 2022-04-07T08:44:24Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475769#M103496 <P>Hello,</P><P>I have a vpn ipsec in production, now I have to add a secondary remote peer.</P><P>It's my first time I have to configure a 2nd peer.</P><P>If I understood well I can't simply add a seocndary peer to the VPN but I have to configure a new psec but the difference is the static route related the remote network.</P><P>Example I should have:</P><P>Remote net: 10.1.0.0/24</P><P>Route 1 10.1.0.0/24 metric 10 Tunnel.1</P><P>Route 2 10.1.0.0/24 metric 20 Tunnel.2</P><P>&nbsp;</P><P>If the primary peer stop responding how I can turn off the Route 1?</P><P>The tunnel.1 and .2 don't have an ip and the inside int of the PA it's not included in the local network<BR /><BR />Can I add an ip to Tunnel.1 like 192.168.1.1 and nat it with the external IP of the PA and set the Path monitor of the "Route 1" like<BR />Source:192.168.1.1<BR />Destination: Primary Peer<BR />So the Route 1 ping the Primary peer If the peer stop responding the PA remove from the routing table the Route 1 and the Secondary VPN start working because the Route 2 it's the only active.<BR /><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 25 Mar 2022 14:00:53 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475769#M103496 ChristianBolelli 2022-03-25T14:00:53Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475781#M103498 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110051">@ChristianBolelli</a>&nbsp;,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Yes, you need to have separate VPN tunnel with secondary peer IP and&nbsp; you need to assign the IP to the tunnel interface.&nbsp;You just need to make sure that the IP that you are assigning to the tunnel interface should be from your local network which is part of tunnel encryption domain. Basically that source IP should be reachable towards the destination servers over tunnel. If you are doing NAT for the existing tunnel traffic, then you need to do &nbsp;NAT for tunnel interface IP also. This traffic will travel till destination via tunnel.</P><P>&nbsp;</P><P>&nbsp;</P><P>Once you have this set, you can enable the path monitoring on the <STRONG>tunnel.1</STRONG> route i.e.&nbsp;<STRONG>Route 1 10.1.0.0/24 metric 10 Tunnel.1</STRONG> and take one of the ICMP responding server from peer side to add it under path monitoring. Once Primary tunnel fails, configured destination server will stop responding to ICMP and once path monitoring fails, Palo Alto will remove route towards&nbsp;<STRONG>tunnel.1</STRONG>&nbsp;from <STRONG>FIB</STRONG>. And traffic will then start sending to the secondary tunnel i.e.&nbsp;<STRONG>tunnel.2</STRONG></P><P>&nbsp;</P><P><EM>Here, I have considered that you are trying to configure two tunnels (Primary &amp; Secondary) for same encryption domain from your Palo Alto.</EM></P><P>&nbsp;</P><P>Hope it helps!</P> Fri, 25 Mar 2022 14:36:05 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475781#M103498 SutareMayur 2022-03-25T14:36:05Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475784#M103499 <P>Hello,</P><P>so the Path monitor MUST pass through the tunnel? In my example the Tunnel.1 ip shoud be natted with the PA outside interface and reach the&nbsp; public ip of the remote peer. The idea is to monitor the public ip and not and internal resources.</P> Fri, 25 Mar 2022 14:42:48 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475784#M103499 ChristianBolelli 2022-03-25T14:42:48Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475797#M103500 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110051">@ChristianBolelli</a>&nbsp;Will your peer allow ICMP traffic on their public IP ?</P><P>&nbsp;</P><P>Also in addition to this - If they allows and you configure but it won't help you in some scenarios like given below -</P><P>Your tunnel having issues like Phase-1 and/or Phase-2 is down. In this case, peer end public IP may respond to ICMP but tunnel resources may become unreachable.&nbsp;</P> Fri, 25 Mar 2022 15:26:04 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/475797#M103500 SutareMayur 2022-03-25T15:26:04Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478598#M103782 <P>Hello,</P><P>Yes they allow icmp traffic</P><P>&nbsp;</P><P>I have now a lab. I've set an ip on the Tunnel.1 and a Path monitor as below:</P><P>Tunnel.1 192.168.1.1/32</P><P>&nbsp;</P><P>Static route</P><P>Route1<BR />10.10.10.0/24 interface Tunnel.1<BR />Path monitor<BR />Src: 192.168.1.1/32<BR />Dst: Remote Peer ip</P><P><BR /><BR />On Security rule<BR />Src:192.168.1.1/32<BR />dst: Remote-PeerIP</P><P>Application: Ping/icmp<BR /><BR />Nat<BR />original source: 192.168.1.1/32<BR />Original dst:Remote-PeerIP<BR />Translated src: Dynamic ip and port. with the Palo alto Public IP</P><P>Translated dst: original</P><P>&nbsp;</P><P>From CLI</P><P>ping source 192.168.1.1 host Remote-PeerIP<BR />Answers as expected and we capture the traffic on test remote ASA and we see the icmp packets coming from Palo Alto public ip.</P><P>But on Path monitor tab still in "down" state.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Apr 2022 08:41:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478598#M103782 ChristianBolelli 2022-04-06T08:41:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478896#M103816 <P>Hello,</P><P>I'm trying to understand if it's possible to monitor the Remote Peer IP(Customer request) instead of a resource inside the tunnel IPSEC.<BR />So the ip assign to Tunnel.1 it not included in the ProxyID because I want to ping the Peer- ip<BR />Via CLI the ping works:</P><P>PA&gt;ping source "Tunnel.1-IP" host "Remote-Peer-IP"<BR />But with the same data on path monitor it fails.</P> Thu, 07 Apr 2022 08:29:04 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478896#M103816 ChristianBolelli 2022-04-07T08:29:04Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478898#M103817 <P>To make short a long story, I want to know if I can define a Secondary VPN that switches when the Remote Peer IP go down because the Customer want to avoid to monitor a resource inside the VPN.<BR />(Like on the ASA where we can simply set the secondary peer and it works without any other conf)</P> Thu, 07 Apr 2022 08:44:24 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/478898#M103817 ChristianBolelli 2022-04-07T08:44:24Z https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/479035#M103841 <P>Hello,</P><P>If you have say OSPF setup on both VPN endpoints, it should see the down link and route around it.</P><P>Regards,</P> Thu, 07 Apr 2022 16:41:55 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-ipsec-secondary-peer/m-p/479035#M103841 OtakarKlier 2022-04-07T16:41:55Z