https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273499#M75040 <P>I configured the second tunnel and add on VR new route with metric 20, it looks like:</P><P>main route 10.28.28.0/24 tunnel5 metric 5</P><P>backup route&nbsp;10.28.28.0/24 tunnel6 metric 20</P><P>&nbsp;</P><P>How to Configure Tunnel monitor?</P><P>Tunnel monitor to configure on main tunnel?</P><P>What insert to Destination IP?</P><P>Example:&nbsp;</P><P>Ip address interface Tunnel 5 172.16.30.1&nbsp;</P><P>Ip address interface Tunnel 6 172.16.30.2</P><P>and Tunnel monitor 172.16.30.1?</P><P>Or it is wrong?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Jun 2019 11:37:53 GMT Tarczynski-SA 2019-06-27T11:37:53Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273391#M75030 <P>Hello!</P><P>&nbsp;</P><P>How to configure a backup VPN?</P><P>The main VPN configured and worked, path monitoring worked&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_9.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20507i43889DDBE94A8483/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot_9.jpg" alt="Screenshot_9.jpg" /></span></P> Thu, 27 Jun 2019 07:21:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273391#M75030 Tarczynski-SA 2019-06-27T07:21:52Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273451#M75034 a 'clean' (but not the only) solution is to put the second ISP on a separate VirtualRouter and configure the second tunnel on that VR. Then use PBF to direct traffic inside the tunnel <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK</A> Thu, 27 Jun 2019 09:29:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273451#M75034 reaper 2019-06-27T09:29:56Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273454#M75036 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/72617">@Tarczynski-SA</a>&nbsp;, you can create a secondary tunnel and add route of remote LAN with higher metric through that tunnel. you need to have tunnel monitoring enabled in primary to remove the primary static route from the routing table, so once the primary tunnel is down, the route willl be trough secondary tunnel, and the tunnel will come up.</P> Thu, 27 Jun 2019 09:58:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273454#M75036 Abdul_Razaq 2019-06-27T09:58:08Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273499#M75040 <P>I configured the second tunnel and add on VR new route with metric 20, it looks like:</P><P>main route 10.28.28.0/24 tunnel5 metric 5</P><P>backup route&nbsp;10.28.28.0/24 tunnel6 metric 20</P><P>&nbsp;</P><P>How to Configure Tunnel monitor?</P><P>Tunnel monitor to configure on main tunnel?</P><P>What insert to Destination IP?</P><P>Example:&nbsp;</P><P>Ip address interface Tunnel 5 172.16.30.1&nbsp;</P><P>Ip address interface Tunnel 6 172.16.30.2</P><P>and Tunnel monitor 172.16.30.1?</P><P>Or it is wrong?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Jun 2019 11:37:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273499#M75040 Tarczynski-SA 2019-06-27T11:37:53Z https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273500#M75041 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/72617">@Tarczynski-SA</a>&nbsp;, You need to configure tunnel monitor on main tunnel. Destination IP can be any pingable IP reachable through tunnel(IP at cisco side). Please note that the source of this monitor ping will be tunnel IP, make sure this communication is added in proxy ID ( <SPAN>172.16.30.1 to destination)</SPAN>. Monitor profile should be 'fail-over'.</P><P>&nbsp;</P><P>Follow this document for tunnel monitor configuration,</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html#" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html#</A></P> Thu, 27 Jun 2019 11:57:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-sec-vpn-failover-paloalto-fw-cisco-ios/m-p/273500#M75041 Abdul_Razaq 2019-06-27T11:57:10Z