GP disconnects in a set up with two ISPs when the primary link is down and users try to connect using the secondary link

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GP disconnects in a set up with two ISPs when the primary link is down and users try to connect using the secondary link

L1 Bithead

Good morning,

in production we have a pair of PA-440 in HA (10.1.5). The firewalls have been configured with double VR as described in this article:

The firewalls are connected to two Internet links with two different Providers.

We have therefore configured two Portals and two Gateways in order to have two independent VPN connections that can be used simultaneously or when for example one of the ISPs is down.

We are experiencing the following problem:

if both internet links are up, then the two VPNs with GP are working fine.

If instead the primary link is down, then the VPN with the secondary link does not work, more precisely the authentication with the Portal is successful, but then the connection to the Gateway does not work.

We found the exact same behavior also on a PA-820 unit (10.1.4) configured in the same way with double VR and double ISP.


In the GP logs we have "gateway-switch-to-ssl" and on GP client we have the error "Failed to verify the certificate" regardless if the auth profile is username/password or client certificates.


Could you kindly help us figure out what is not configured correctly?


Thank you very much




Cyber Elite
Cyber Elite


That article is not for Global Protect but for site to site tunnels. I accomplish the same thing without using two VR's but I use OSPF and weighted metrics instead. I think for Global Protect, you would need to utilize something like multiple Gaterways:



L1 Bithead



yes I read that article and my set up is as the second picture

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!