Dual/HA IPsec tunnels with 2 ISPs ?

Showing results for 
Search instead for 
Did you mean: 

Dual/HA IPsec tunnels with 2 ISPs ?

L4 Transporter


I have 2 PaloAltos, one is running on robust and redundant Corp internet ISP, another one on a remote location with 2 public  ADSL (and miserable quality ofc !). My goal is to have a redundant IPsec link between the two PaloAltos :


How would you achieve this ? I have several scenarios in mind:

  • PA2 builds 2 tunnels (one from each ISP) all time and routing is done with BGP (or any other routing protocol), so if a link fails, that routing protocol will timeout and route will vanish from each PA, so traffic will fail to the remaining one.
  • PA2 builds 1 tunnel at a time : a PBF will detect if ISP1 is dead and failover traffic to ISP2. This solution may not work as my lowcost ISPs don't have same public adress, so it would mean that PA2 needs to reset old tunnel before creating new one (does it even support this automatically?). What would be the timeframe of such failover also ?

thank you in advance for your suggestions, feedback and questions !



L6 Presenter

Hi...I believe both scenarios will work.  The 1st scenario is using dynamic routing and one path will be selected over the other.  This requires only dynamic routing to be enabled.

The 2nd method require some static routing and PBF.  You can configure PBF to disable the forwarding rule should the next hop is down, and traffic will take the 2nd path.  The failover time is configurable when you set the monitoring of the next-hop, so you can adjust this to fit your enviroment.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!