VPN IPSEC secondary peer

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN IPSEC secondary peer


I have a vpn ipsec in production, now I have to add a secondary remote peer.

It's my first time I have to configure a 2nd peer.

If I understood well I can't simply add a seocndary peer to the VPN but I have to configure a new psec but the difference is the static route related the remote network.

Example I should have:

Remote net:

Route 1 metric 10 Tunnel.1

Route 2 metric 20 Tunnel.2


If the primary peer stop responding how I can turn off the Route 1?

The tunnel.1 and .2 don't have an ip and the inside int of the PA it's not included in the local network

Can I add an ip to Tunnel.1 like and nat it with the external IP of the PA and set the Path monitor of the "Route 1" like
Destination: Primary Peer
So the Route 1 ping the Primary peer If the peer stop responding the PA remove from the routing table the Route 1 and the Secondary VPN start working because the Route 2 it's the only active.







Cyber Elite
Cyber Elite

Hi @ChristianBolelli ,





Yes, you need to have separate VPN tunnel with secondary peer IP and  you need to assign the IP to the tunnel interface. You just need to make sure that the IP that you are assigning to the tunnel interface should be from your local network which is part of tunnel encryption domain. Basically that source IP should be reachable towards the destination servers over tunnel. If you are doing NAT for the existing tunnel traffic, then you need to do  NAT for tunnel interface IP also. This traffic will travel till destination via tunnel.



Once you have this set, you can enable the path monitoring on the tunnel.1 route i.e. Route 1 metric 10 Tunnel.1 and take one of the ICMP responding server from peer side to add it under path monitoring. Once Primary tunnel fails, configured destination server will stop responding to ICMP and once path monitoring fails, Palo Alto will remove route towards tunnel.1 from FIB. And traffic will then start sending to the secondary tunnel i.e. tunnel.2


Here, I have considered that you are trying to configure two tunnels (Primary & Secondary) for same encryption domain from your Palo Alto.


Hope it helps!



so the Path monitor MUST pass through the tunnel? In my example the Tunnel.1 ip shoud be natted with the PA outside interface and reach the  public ip of the remote peer. The idea is to monitor the public ip and not and internal resources.

Cyber Elite
Cyber Elite

Hi @ChristianBolelli Will your peer allow ICMP traffic on their public IP ?


Also in addition to this - If they allows and you configure but it won't help you in some scenarios like given below -

Your tunnel having issues like Phase-1 and/or Phase-2 is down. In this case, peer end public IP may respond to ICMP but tunnel resources may become unreachable. 



Yes they allow icmp traffic


I have now a lab. I've set an ip on the Tunnel.1 and a Path monitor as below:



Static route

Route1 interface Tunnel.1
Path monitor
Dst: Remote Peer ip

On Security rule
dst: Remote-PeerIP

Application: Ping/icmp

original source:
Original dst:Remote-PeerIP
Translated src: Dynamic ip and port. with the Palo alto Public IP

Translated dst: original


From CLI

ping source host Remote-PeerIP
Answers as expected and we capture the traffic on test remote ASA and we see the icmp packets coming from Palo Alto public ip.

But on Path monitor tab still in "down" state.




I'm trying to understand if it's possible to monitor the Remote Peer IP(Customer request) instead of a resource inside the tunnel IPSEC.
So the ip assign to Tunnel.1 it not included in the ProxyID because I want to ping the Peer- ip
Via CLI the ping works:

PA>ping source "Tunnel.1-IP" host "Remote-Peer-IP"
But with the same data on path monitor it fails.

To make short a long story, I want to know if I can define a Secondary VPN that switches when the Remote Peer IP go down because the Customer want to avoid to monitor a resource inside the VPN.
(Like on the ASA where we can simply set the secondary peer and it works without any other conf)


If you have say OSPF setup on both VPN endpoints, it should see the down link and route around it.


  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!