topic Re: VPN Fail Over in General Topics

VPN Fail Over

karthikeyanB — Tue, 02 Jul 2019 08:15:00 GMT

Dear Team,

We Have PA Firewall With Single ISP and Peer End Sophos FW With Dual ISP.

Here I need to configure VPN Fail over. What are the step i need done PA side?

Regards

Karthikeyan

Re: VPN Fail Over

Abdul_Razaq — Tue, 02 Jul 2019 13:00:14 GMT

Hi @karthikeyanB ,

You can configure 2 VPN tunnels with each of remote side ISP connecting IP as remote peer. Configure tunnel monitor on primary one then configure two routes to remote LAN through each of the VPN tunnel with lower metric on primary.

Configure proper security policy for both the connections.

So if primary VPN is down, as the tunnel monitor is configured, the route to remote LANwill be removed and new route with higher metric will be in action which will make the secondary tunnel UP.

Re: VPN Fail Over

i.pacek — Thu, 08 Feb 2024 12:42:31 GMT

Hi everyone,

Tried the configuration @Abdul_Razaq suggested, no luck.

Created two IPSec Tunnels:

IPSec Tunnel A: local IP x.x.x.x, peer IP y.y.y.y, tunnel interface tunnel.8

IPSec Tunnel B: local IP x.x.x.x, peer IP z.z.z.z, tunnel interface tunnel.6

Created tunnel monitor

and tried assigning it on the primary IPSec Tunnel A but commit failed stating that:

IPSec tunnel A enabled tunnel monitoring while binding to tunnel interface tunnel.8 which has no IPV4 address assigned to it yet.

which is essentially true since there is no IP address assigned to tunnel.8 interface.

Any ideas how to solve this?

Re: VPN Fail Over

OtakarKlier — Thu, 08 Feb 2024 21:04:11 GMT

Hello,

I do this a different way using either Policy Based Routing or OSPF, even static routing will work. Build your two tunnels. Then do one of the following:

1. Create a Policy Based Forward policy to send the traffic down one tunnel and check the box "Enforce Symetric Return' and Monitor.

2. Setup OSPF and add a metric to the secondary tunnel of like 10000. then OSPF will direct the traffic the correct path that is up, etc.

3. User static routes with path monitoring

Regards,

Re: VPN Fail Over

BPry — Thu, 08 Feb 2024 21:28:27 GMT

@karthikeyanB,

You give the tunnel interface an IP address. You can just assign a /31 for this and ensure that you have the route and policy in place to allow that address to hit the destination IP that you've setup.

Re: VPN Fail Over

msdphi — Thu, 10 Jul 2025 23:07:45 GMT

Hi Sir,

I have two pbf rules for each tunnel. And I have applied tunnel monitor on both rules. But I am unable to make it work. Though tunnel shows up, traffic stops flowing erratically.

I'm unsure of the correct configuration to use. Please help me.

Re: VPN Fail Over

OtakarKlier — Fri, 11 Jul 2025 15:03:27 GMT

Hello,

Definitely sounds like a routing issue. Do you have "Enforce Symetric Return" enabled?

Regards,

Re: VPN Fail Over

james698henry — Sat, 12 Jul 2025 04:45:59 GMT

@karthikeyanB wrote:

Dear Team,

We Have PA Firewall With Single ISP and Peer End Sophos FW With Dual ISP.

Here I need to configure VPN Fail over. What are the step i need done PA side?

Regards

Karthikeyan

Hello @karthikeyanB,
To configure VPN failover on the PA firewall with a single ISP:

Use Tunnel Monitoring or Static Route Path Monitoring
- Create two IPSec tunnels (Primary and Secondary) to the Sophos FW.
- Assign each tunnel a unique tunnel interface (e.g., `tunnel.1`, `tunnel.2`).
- Enable Tunnel Monitoring on the primary tunnel with action set to Fail Over.
- Alternatively, configure Static Route Path Monitoring to detect tunnel failure and switch routes.

Set Static Routes with Metrics
- Route traffic via `tunnel.1` with lower metric (e.g., 10).
- Add backup route via `tunnel.2` with higher metric (e.g., 20).

Ensure both tunnel interfaces are in the same security zone and monitor IPs are reachable through the VPN.
More details: Palo Alto VPN Failover Guide.

Best Regards,
James Henry