https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513263#M106633 <P>Hello,</P> <P>What IP are you using as your monitor? Also what happens if you disable ECMP and user weighted routes instead?</P> <P>Please advise,</P> Mon, 29 Aug 2022 15:29:45 GMT OtakarKlier 2022-08-29T15:29:45Z https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513199#M106621 <P>Hi , have 2 dynamic isp at site 1 with single vr and &nbsp;ECMP and 1 public ip at site 2 paloalto at OCI cloud , i have setup dual tunnels from site 1 to site 2 but its not stable at all , both tunnels will be up but if we simulate failover using either path monitoring or tunnel monitoring or making isp 1 or 2 down we can see that vpn is stuck in initiating phase. We used below guide&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO" target="_blank" rel="nofollow noopener noreferrer">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO</A>&nbsp;</P> Sun, 28 Aug 2022 09:38:30 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513199#M106621 mhm_ameen 2022-08-28T09:38:30Z https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513263#M106633 <P>Hello,</P> <P>What IP are you using as your monitor? Also what happens if you disable ECMP and user weighted routes instead?</P> <P>Please advise,</P> Mon, 29 Aug 2022 15:29:45 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513263#M106633 OtakarKlier 2022-08-29T15:29:45Z https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513340#M106644 <P>using tunnels ip for monitor for IPSEC, i don't want to disable ECMP since requirements is to have load balancing internet connection. please find attached diagram.&nbsp;&nbsp;</P> <P>we&nbsp; are&nbsp; using FQDN for dynamic peer&nbsp; in ike gateway.&nbsp;</P> <P>FQDN being used is ip address is it ok or it must be in form of name.domain.com ??&nbsp;</P> Tue, 30 Aug 2022 07:07:35 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513340#M106644 mhm_ameen 2022-08-30T07:07:35Z https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513751#M106683 <P>Hello,</P> <P>I would make sure your monitor IP's for the tunnels are only sent down the tunnel that has the monitored IP address. I think ECMP might be messing up the tunnel monitor, ie sending traffic down one tunnel and reaching the IP address so the tunnel never goes down and routing gets goofed.&nbsp;</P> <P>So make sure the tunnel monitor is setup so tunnel 1 uses an IP address that is only accessible via tunnel 1. What I have done, since I use OSPF, is to have the tunnels have a /30 address and static routes that are only sent down that tunnel and not down OSPF.</P> <P>example: Tunnel1 has a /30 IP address and the other side of the tunnel has the other /30 address. The the static route for the /30 is sent to the tunnel interface and is not redistributed via OSPF so it cant reroute.</P> <P>&nbsp;</P> <P>Hope that makes sense.</P> <P>Regards,</P> Thu, 01 Sep 2022 15:53:52 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-dynamic-ipsec-tunnels-single-vr/m-p/513751#M106683 OtakarKlier 2022-09-01T15:53:52Z