Static route path monitor for dual IPSec tunnels not recovering

Layne-Corbett — Thu, 24 Aug 2023 02:24:57 GMT

We have two ISP's and created redundant IPSec tunnels to our datacenter (one per ISP). We followed this doc on how to setup tunnel failover even though it did not mention that the tunnel IP's needed to be added to allowed tunnel traffic via tunnel Proxy ID setting:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

I thought I found the issue after reading this doc about monitor source address allowed thru tunnel, but even after adding the tunnel IP range to tunnel Proxy ID, monitor still shows route as down even though tunnel is up:

https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring-for-automated-vpn-failover/td-p/349743

So at this point I don't know what I missed in the config's 😣

Re: Static route path monitor for dual IPSec tunnels not recovering

BPry — Thu, 24 Aug 2023 04:49:04 GMT

@Layne-Corbett,

Can you post more detailed information in what you're actually doing so far? Prevents having to read through everything and assume that every step was followed, which can lead to improper assumptions about something you could be overlooking.

topic Re: Static route path monitor for dual IPSec tunnels not recovering in General Topics

Static route path monitor for dual IPSec tunnels not recovering

Re: Static route path monitor for dual IPSec tunnels not recovering