Good morning, in production we have a pair of PA-440 in HA (10.1.5). The firewalls have been configured with double VR as described in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK The firewalls are connected to two Internet links with two different Providers. We have therefore configured two Portals and two Gateways in order to have two independent VPN connections that can be used simultaneously or when for example one of the ISPs is down. We are experiencing the following problem: if both internet links are up, then the two VPNs with GP are working fine. If instead the primary link is down, then the VPN with the secondary link does not work, more precisely the authentication with the Portal is successful, but then the connection to the Gateway does not work. We found the exact same behavior also on a PA-820 unit (10.1.4) configured in the same way with double VR and double ISP. In the GP logs we have "gateway-switch-to-ssl" and on GP client we have the error "Failed to verify the certificate" regardless if the auth profile is username/password or client certificates. Could you kindly help us figure out what is not configured correctly? Thank you very much GlobalProtect
... View more