https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414719#M93166 <P>Hello All,</P><P>I am attempting to setup primary and backup route to the same IP through two different IPSec tunnels. I have attempted both PBF and Static Route Path Monitoring and cant seem to get either to work, in both cases is because there is no IP assigned directly to the tunnel interface.</P><P>&nbsp;</P><P>Here's the layout:</P><P>Site A</P><P>PA-820&nbsp; Int 3&lt;-------------------&gt; Int 1(Service provider Cisco ISR) &nbsp;route to 192.168.2.0/24 (Primary)</P><P>192.168.1.0/24</P><P>IPSec Tunnels to Sites B &amp; C</P><P>&nbsp;</P><P>Site B</P><P>PA-220&nbsp; Int 3&lt;-------------------&gt; Int 1(Service provider Cisco ISR) &nbsp;route to 192.168.2.0/24 (Secondary)</P><P>192.168.2.0/24</P><P>IPSec Tunnels to Sites A &amp; C</P><P>&nbsp;</P><P>&nbsp;</P><P>Sites C</P><P>PA-220</P><P>192.168.3.0/24</P><P>IPSec Tunnels to Sites A &amp; B</P><P>&nbsp;</P><P>The outcome I am looking for is any time Site A or C cannot get to the 192.168.2.0 network through Site A that it will automatically start routing 192.168.2.0 traffic to Site B.</P><P>&nbsp;</P><P>Same for Site B, anytime it cannot get to 192.168.2.0 through its direct connected route, it will pass that traffic to Site A.</P><P>&nbsp;</P><P>The way I have it configured now is with two static routes to 192.168.2.0 with the secondary route having a higher metric and distance but was really wanting a more solid solution that would remove the route the way path monitoring or PBF works.</P> Wed, 23 Jun 2021 12:53:31 GMT JoeJackson 2021-06-23T12:53:31Z https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414719#M93166 <P>Hello All,</P><P>I am attempting to setup primary and backup route to the same IP through two different IPSec tunnels. I have attempted both PBF and Static Route Path Monitoring and cant seem to get either to work, in both cases is because there is no IP assigned directly to the tunnel interface.</P><P>&nbsp;</P><P>Here's the layout:</P><P>Site A</P><P>PA-820&nbsp; Int 3&lt;-------------------&gt; Int 1(Service provider Cisco ISR) &nbsp;route to 192.168.2.0/24 (Primary)</P><P>192.168.1.0/24</P><P>IPSec Tunnels to Sites B &amp; C</P><P>&nbsp;</P><P>Site B</P><P>PA-220&nbsp; Int 3&lt;-------------------&gt; Int 1(Service provider Cisco ISR) &nbsp;route to 192.168.2.0/24 (Secondary)</P><P>192.168.2.0/24</P><P>IPSec Tunnels to Sites A &amp; C</P><P>&nbsp;</P><P>&nbsp;</P><P>Sites C</P><P>PA-220</P><P>192.168.3.0/24</P><P>IPSec Tunnels to Sites A &amp; B</P><P>&nbsp;</P><P>The outcome I am looking for is any time Site A or C cannot get to the 192.168.2.0 network through Site A that it will automatically start routing 192.168.2.0 traffic to Site B.</P><P>&nbsp;</P><P>Same for Site B, anytime it cannot get to 192.168.2.0 through its direct connected route, it will pass that traffic to Site A.</P><P>&nbsp;</P><P>The way I have it configured now is with two static routes to 192.168.2.0 with the secondary route having a higher metric and distance but was really wanting a more solid solution that would remove the route the way path monitoring or PBF works.</P> Wed, 23 Jun 2021 12:53:31 GMT https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414719#M93166 JoeJackson 2021-06-23T12:53:31Z https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414729#M93168 <P>Good Day</P> <P>&nbsp;</P> <P>May I recommend that you simply add an IP address within the tunnel interface, so that you can do tunnel monitoring.</P> <P>PBF, Static Route Path Monitoring, and Tunnel Monitoring would use IPs for either next hops or monitoring IPs.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Jun 2021 13:27:26 GMT https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414729#M93168 S.Cantwell 2021-06-23T13:27:26Z https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414770#M93177 <P>I did try that. At site A, I added IP 192.168.1.5/24 to the tunnel interface but I get an error that the IP address overlaps with the IP addresses assigned to another interface. How do I fix this?</P> Wed, 23 Jun 2021 15:24:18 GMT https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414770#M93177 JoeJackson 2021-06-23T15:24:18Z https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414779#M93178 <P>What I would recommend is to have a subnet (could be /30) that would be unique for each VPN.</P> <P>So for a single VPN (have a different subnet... 10.99.99.1/30 on one side and 10.99.99.2/30 on the other, and continue to monitor)</P> <P>&nbsp;</P> <P>That would be for tunnel monitoring (under your IPSec configuration)</P> <P>&nbsp;</P> <P>For the static route path monitor, you could have your virtual router "ping" some IP on the remote side of the VPN.<BR />I believe this may alleviate the need to set up tunnel interfaces, or a way to compliment them.</P> <P>&nbsp;</P> <P>What other questions can we answer.</P> Wed, 23 Jun 2021 15:52:50 GMT https://live.paloaltonetworks.com/t5/general-topics/redundant-static-route-through-two-ipsec-tunnels/m-p/414779#M93178 S.Cantwell 2021-06-23T15:52:50Z