This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Site to Site VPNs HA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site to Site VPNs HA

soc_mlopez
L0 Member

‎10-08-2025 12:27 PM

Hello team, currently we have 2 VPN S2S, one as primary and the other one as secondary.
Primary uses our primary ISP againts primary ISP from my peer, tunnel10, static route metric 10
Secondary one uses our secondary ISP against secondary ISP from my peer, tunnel11 static route metric 11.

This is the enviroment, so both VPNs are active but all the traffic its going the tunnel10 because its my primary one due to metric.

How can I HA both VPNs? Which is the best option.

1.- Use tunnel monitor on primary VPN (ipsec tunnel, general, advanced options)
2.- Use Path Monitoring on the primary static route?

What is my best option and which are the comparision, pro and cons for both methods?

0 Likes Likes
1 REPLY 1

PavelK
Cyber Elite
Cyber Elite

‎10-08-2025 03:27 PM

Hello @soc_mlopez

 

thanks for post!

 

If you would like to route traffic through both VPN tunnels at the same time, you will have to enable ECMP and use routing protocol (For example OSPF) to advertise prefixes equally across both tunnel interfaces. Details of this setup are described in this KB: OSPF over IPSec with load balancing via ECMP dual ISP.

 

More advanced option of the above setup would be to use OSPF to advertise Loopback interface IP address across both tunnels and then establish BGP between loopback IP addresses of both Firewalls. In this case OSPF would serve as a transport to advertise Loopback IP address over which BGP establishes session that will be used to route traffic across both tunnels. If one of the tunnel goes down or ISP link is flapping (up/down/up event), the BGP session still remains up.

 

Based on information in your post it looks like you do not have any dynamic routine in place which might cause extra complexity, however by using dynamic routing you can utilize both tunnels at the same time without avoiding asymmetric routing. With static route path monitoring you will likely still be running vpn tunnel routing in active / standby scenario with failover option when path monitoring fails. If path monitoring is not setup properly on the other side of the tunnel you might be blackholing traffic or causing asymmetric routing.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 57 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks