Cisco ASA to Palo Alto Site to Site IPSEC VPN Failover


Today I’m going to show you exactly how to configure IPSEC failover between a Cisco ASA and A Palo Alto.


1 ASA, 2 wan circuits

1 Palo, 1 wan circuit



Let’s assume at the ASA side is our primary WAN circuit and is the backup circuit we have just added.


I’m assuming you’ve already configured WAN failover, but if you have not click here to learn how to do that.

Now let’s configure the Site to Site VPN:

object network LAN



object network EASTLAN



object network EASTLAN2



object-group network EASTNETWORKS

network-object object EASTLAN

network-object object EASTLAN2


access-list VPN extended permit ip object-group EASTNETWORKS

nat (inside,outside1) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookup

nat (inside,outside2) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookup

crypto ikev1 enable outside1

crypto ikev1 enable outside2

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map outside_map 10 match address VPN

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer

crypto map outside_map 10 set ikev1 transform-set ESP-AES_SHA

crypto map outside_map interface outside1

crypto map outside_map interface outside2

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key PASSWORD

isakmp keepalive threshold 10 retry 5



Now let’s configure the Palo side. This side is going to be mainly screenshots.

First configure 2 tunnel interfaces, 1 with an IP of and one without an IP. Put them both in the trusted zone so that VPN traffic will flow properly without rules. We require one with an IP because we will be sourcing pings from it later. This network will be advertised to the ASA and this is NOT a route based VPN. This is a policy based VPN. The Cisco ASA does NOT support route based VPN.

Now create a route for the East lan of with the next hop interface as tunnel 1, this tunnel should have a normal distance of 10

Create a second route for the East lan of with the next hop interface as tunnel 2, this tunnel should have a distance of 11


Now create your IKE profile.

Also create your IPSEC profile.

Now we need to create two IKE Gateways, one for each WAN circuit at the ASA.

Let’s finish the tunnels off by creating two IPSEC tunnels.

Tunnel one will be to the main circuit of the ASA. Notice on this tunnel we use the “tunnel monitor”. This will send pings to (The ASA’s lan interface). These pings will be sourced from the outgoing interface, tunnel.1 This is why we needed to give it an IP and then advertise that subnet to the ASA. This way the ASA can return pings to and the tunnel will remain up.

The failover profile I created was this.

Here’s the second tunnel. Notice here we do not need the tunnel monitor.


That’s it! Now let’s test.
Let’s shut down the main WAN circuit on the ASA.

Boom failover occurred!

So how does it work? The main tunnel stays up and it’s able to be monitored thanks to the IP on the tunnel.1 interface and the tunnel monitoring. As soon as those poings sourced from tunnel 1 start to fail, that tunnel is torn down and the static route is NOT “active”. This means our backup route takes over and is able to negotiate the tunnel with the second wan interface.