Failover IPSEC tunnels with tunnel monitor keeps both tunnels active

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failover IPSEC tunnels with tunnel monitor keeps both tunnels active

L1 Bithead

We have just configured 2 IPSEC tunnels with a remote palo.  Both sides have 2 IPSEC tunnels with tunnel monitor and DPD configured.  For some odd reason, the when the primary tunnel is active and has active routes going to it, the secondary tunnel still shows active.  Traffic is still flowing the way it should, I never see the traffic change to the secondary tunnel.  The tunnel monitoring never disables the second tunnel.  Did we over look something in our configuration?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@emarschang,

This would be expected behavior in a properly configured dual tunnel configuration. You want both tunnels to be online and established and your primary passing traffic until it goes down; once the primary goes down the route is removed and traffic just moves to the already established secondary tunnel that is just waiting to take over traffic from the primary.

 

 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@emarschang,

This would be expected behavior in a properly configured dual tunnel configuration. You want both tunnels to be online and established and your primary passing traffic until it goes down; once the primary goes down the route is removed and traffic just moves to the already established secondary tunnel that is just waiting to take over traffic from the primary.

 

 

Thank you for that explanation.  Also is it normal to have repeated firewall alerts/emails stating that Tunnel A is up/down Tunnel B is up/down?  Or is this being generated due something going with the connection of the tunnels?  This is the experience we were having yesterday after configuring the dual tunnels.  The primary tunnel swapped over, and traffic was flowing properly, but got bombarded with tunnel up/down alerts.

I have a similar issue. I have created 2 tunnels on single palo with 2 different peer ip’s ( remote end using different fw). Both tunnela at my end are active but traffic flows through primary only. Issue is when recently i tried to do resiliency test, i shut down primary , traffic disn’t moved to secondary. What do i need to check?

  • 1 accepted solution
  • 1179 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!