Palo Alto S2S VPN failover with Dual ISP

 Basic S2S VPN configurations:

PA-2

1. Two tunnel interfaces, add them to VPN zone

2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways to PA-3 with different local interfaces and IPs

3. Add two IPSec Tunnels with different gateways

4. Add two static routes with different Metric

5. Add Security Policy

PA-3

1. Two tunnel interfaces, add them to VPN zone

2. With default IKE Crypto profile and IPSec Crypto profile, add two gateways to PA-2 with different remote IPs

3. Add two IPSec Tunnels with different gateways

4. Add two static routes with different Metric

5. Add Security Policy

===============

VPN failover

1. DPD check peer liveness, when peer is down, however, FW doesn't remove the static route. Hence, DPD itself can't be used for VPN failover.

It takes about 5 minutes to tear down to tear down P1 and P2 SAs.

IKEv2 with liveness check to detect network connectivity problem

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgcCAC

2. Tunnel Monitoring

FW sends ping to monitored destination IP.  When monitor fails, tunnel will be down, remote LAN static route will be removed. But static route to remote peer still active unless it is direct link failure.

Default route Path Monitor is required for indirect ISP failure.

Network > Network Profile > Monitor

If intrazone-default has allow action, no FW rule is required 

When ISP1 is down

PA-2:

But if PA-3 doesn't have Tunnel monitor configured, it will not failover to the 2nd tunnel, so Tunnel Monitoring needs both ends be configured.

Monitor status can be seen from cli:

When ISP1 restored, path monitor is up, primary VPN will be back up and traffic be re-routed to the primary VPN

Related system logs:

3. Use Path Monitoring instead of Tunnel Monitoring

6 ping packets lost during VPN failover.

Dual ISP VPN site to site Tunnel Failover with Static Route Path-Monitoring

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO