Hi @ChristianBolelli , Yes, you need to have separate VPN tunnel with secondary peer IP and you need to assign the IP to the tunnel interface. You just need to make sure that the IP that you are assigning to the tunnel interface should be from your local network which is part of tunnel encryption domain. Basically that source IP should be reachable towards the destination servers over tunnel. If you are doing NAT for the existing tunnel traffic, then you need to do NAT for tunnel interface IP also. This traffic will travel till destination via tunnel. Once you have this set, you can enable the path monitoring on the tunnel.1 route i.e. Route 1 10.1.0.0/24 metric 10 Tunnel.1 and take one of the ICMP responding server from peer side to add it under path monitoring. Once Primary tunnel fails, configured destination server will stop responding to ICMP and once path monitoring fails, Palo Alto will remove route towards tunnel.1 from FIB. And traffic will then start sending to the secondary tunnel i.e. tunnel.2 Here, I have considered that you are trying to configure two tunnels (Primary & Secondary) for same encryption domain from your Palo Alto. Hope it helps!
... View more