We have had a site-to-site VPN setup between our home office and branch office for about six months. We have a pair of PA-500 at the branch, and a pair of PA-3020 at the home office. The home office has two ISPs setup in a dual-vr failover configuration, and the branch has just a single ISP. I tried to setup a second IPSec site-to-site VPN from the backup ISP at the home office so if the primary ISP at the home office fails we could keep the link up, but Phase I doesn't even try to come up on either side(no system error messages or anything). I pretty much followed these instructions, modifying for only having one ISP at the branch office.
My only current working theory of what is causing the second site-to-site not come up is I'm trying to terminate two tunnels on the same IP at the branch office, but that doesn't hold much water. Any quick hints, or should I go to TAC with this one?
Solved! Go to Solution.
Are you sure it was actively trying to come up? If this is a redundancy thing and none of your traffic was actively trying to go that route then the PA wouldn't bring the tunnel up because no traffic was destined for that route. The tunnel needs traffic to activate, if you want it to come up without traffic the 'test' command is the best way to force it.
+1 to @BPry. Test vpn command actually forcing/simulating traffic through the tunnel. Not sure about P1 but l guess it is the same as for P2 (interesting traffic). What l meant is that P1 would not come up by itself, need some traffic to trigger it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!