12-17-2025 09:04 AM
Hello Team,
I have two ISP for site A and site B. we have configured tunnel.1,2,3,4. for all the tunnels i configured tunnel monitoring for failover.
My primary tunnel is up and working fine. However, all the backup tunnels are down the tunnel status are showing red.
anyone tell me is this expected?
12-17-2025 11:31 AM
On Palo Alto Networks firewalls, the IPSec tunnel interface status can be driven by tunnel monitoring, not just by whether IKE/IPSec SAs exist.
Red/DOWN can mean: tunnel monitor is enabled and the monitoring IP is unreachable, so PAN-OS brings the tunnel interface down (especially when the monitor profile action is Fail Over).
In a “primary/backup” design, if the routing prefers Tunnel.1, then the firewall may have no valid working path over Tunnel.2/3/4 to reach the monitor destination(s) you configured for those tunnels—so their monitors fail and they go red.
This is a common misconfiguration pattern: the monitor destination is reachable via the primary tunnel, but not reachable via each backup tunnel specifically.
Palo Alto can absolutely have multiple tunnels UP at the same time, but tunnel monitoring can intentionally force a tunnel interface DOWN if its monitor destination is not reachable (by design, to remove routes and trigger failover).
Monitor destination per tunnel
Each tunnel should monitor an IP that is reachable only via that tunnel (typical: the remote tunnel interface IP when using route-based VPN).
If the monitored IP is “behind” the far side, make sure it’s actually reachable through that specific tunnel during steady state.
Ensure the monitor traffic is forced over the intended tunnel
The monitor probe follows forwarding; if the “best” route to the monitor destination points at Tunnel.1, then Tunnel.2’s monitor will fail.
Fix by using a monitor destination that is topologically tied to that tunnel (again: remote tunnel interface IP is the usual approach for route-based).
Policy-based VPN / Proxy-IDs
If any of these are policy-based, ensure the monitor destination IPs are covered by Proxy-ID/traffic selectors, otherwise the monitor pings may never match the IPsec SA and will fail. (PAN-OS tunnel monitoring guidance calls out proxy-ID considerations in failover designs.)
From the firewall CLI, check whether it’s the monitor driving the red status:
show vpn flow (PANW KB explicitly references using this to interpret monitor/tunnel status issues).
Also review System logs for tunnel monitor events (look for tunnel-status-down / monitor failures).
“Red/DOWN on the backup tunnels is expected if tunnel monitoring is configured and the monitoring IP for those tunnels is not reachable via each tunnel. In PAN-OS, tunnel monitoring can intentionally bring a tunnel interface down (especially with Fail Over action) to withdraw routes and enable failover. We should adjust the monitor destination (typically remote tunnel interface IP) and/or routing/traffic-selectors so each tunnel’s monitor probe is reachable over that specific tunnel.”
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
