https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327459#M83335 <P>I want to configure an IPSec VPN tunnel with redundant VPN peers primary peer "A" using tunnel1 and secondary peer "B" (if "A" goes down) using tunnel2.</P><P>&nbsp;</P><P>I can configure failover using Tunnel Monitoring, but my question is "Why are routes to my VPN peer network installed in the routing table using tunnel1 (more preferred) over tunnel2?". I cannot see where we say tunnel1 is the primary, routes via tunnel2 should only be installed if tunnel1 goes down?</P><P>&nbsp;</P><P>Note: I am not considering failover using static route monitoring at this time.</P><P>&nbsp;</P> Tue, 12 May 2020 00:57:05 GMT djohnson229 2020-05-12T00:57:05Z https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327459#M83335 <P>I want to configure an IPSec VPN tunnel with redundant VPN peers primary peer "A" using tunnel1 and secondary peer "B" (if "A" goes down) using tunnel2.</P><P>&nbsp;</P><P>I can configure failover using Tunnel Monitoring, but my question is "Why are routes to my VPN peer network installed in the routing table using tunnel1 (more preferred) over tunnel2?". I cannot see where we say tunnel1 is the primary, routes via tunnel2 should only be installed if tunnel1 goes down?</P><P>&nbsp;</P><P>Note: I am not considering failover using static route monitoring at this time.</P><P>&nbsp;</P> Tue, 12 May 2020 00:57:05 GMT https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327459#M83335 djohnson229 2020-05-12T00:57:05Z https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327502#M83348 <P>if a vpn tunnel goes down the interface is not necessarily 'down', a monitoring profile set to 'failover' will bring it down</P><P>&nbsp;</P><P>routes on an interface will stay in the routing table as long as the interface is up, when monitoring brings down the interfaces, the route will disappear and the next lowest metric will pick up the traffic (tunnel 2 with a higher metric)</P> Tue, 12 May 2020 10:32:12 GMT https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327502#M83348 reaper 2020-05-12T10:32:12Z https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327562#M83361 <P>Hello,</P><P>I also use Policy Based Forwarding to prefer the primary endpoint so that if it goes down then the PBF no longer takes effect and the Virtual router takes over. I also put OSPF on both ends with metrics so there is no weird routing loops.</P><P>&nbsp;</P><P>Hope that helps.</P> Tue, 12 May 2020 15:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/tunnel-monitor-query/m-p/327562#M83361 OtakarKlier 2020-05-12T15:53:48Z