https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336123#M84690 <P>Hello,</P> <P>This could be a config issue on the AWS side? I would double check both sides to make sure the proper settings are configured.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 30 Jun 2020 18:27:20 GMT OtakarKlier 2020-06-30T18:27:20Z https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336047#M84669 <P>I have 2 AWS instances(Prod and Stage) each with redundant VPN tunnels to the same remote end Palo.&nbsp; I setup path monitoring for each so that when one tunnel is down, the route is removed and the backup route is put in the FIB.&nbsp; This only works with our stage instance and not our prod instance.&nbsp; In each case, the tunnel state on the AWS side does not reflect the fact that I brought the tunnel down on the Palo side.&nbsp; We also have seen times when the AWS tunnel was down, but the Palo side showed the tunnel as up.&nbsp; Has anyone seen this or is anyone using AWS with VPN to Palos and have failover working properly?&nbsp;&nbsp;</P> Tue, 30 Jun 2020 15:07:18 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336047#M84669 eridavis 2020-06-30T15:07:18Z https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336107#M84683 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/135860">@eridavis</a>,</P> <P>What is your ping interval and count set to, along with your preemptive hold value? What version of PAN-OS are you running?</P> <P>&nbsp;</P> <P>This should just work, regardless if you VM-Series is running in AWS, Azure, or ESXi there really isn't anything special to the configuration due to hypervisor being utilized. The tunnels will likely show as up unless you've setup tunnel-monitoring so the actual tunnels are checking status; you're kind of already doing that with the path-monitoring on the static routes, but that doesn't really do anything as far as the actual tunnel itself is concerned.&nbsp;</P> Tue, 30 Jun 2020 17:06:34 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336107#M84683 BPry 2020-06-30T17:06:34Z https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336117#M84685 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;Interval is default of 3 seconds and hold is default of 2 mins.&nbsp; Pan-OS 8.1.11.&nbsp; To clarify, we only have Palo at one end.&nbsp; WE are using AWS VPV/VPN natively on the AWS side.&nbsp; The issue is that in our Prod instance the VPN failover is not working.&nbsp; I manually shutdown the primary IPsec tunnel and the path monitor removes the active route properly and adds the backup route to the FIB as it should.&nbsp; The path monitor shows the tunnel is down and the traffic leaves the 2nd tunnel interface but no traffic comes back.&nbsp; Also, the AWS side does not show the tunnel being down in either the prod or stage instances, so I'm not sure how AWS is routing traffic over the tunnels.</P> Tue, 30 Jun 2020 17:17:57 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336117#M84685 eridavis 2020-06-30T17:17:57Z https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336123#M84690 <P>Hello,</P> <P>This could be a config issue on the AWS side? I would double check both sides to make sure the proper settings are configured.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 30 Jun 2020 18:27:20 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-vpn-tunnel-and-path-monitoring/m-p/336123#M84690 OtakarKlier 2020-06-30T18:27:20Z