Cisco ASA to Palo Alto Site to Site IPSEC VPN Failover


Today I’m going to show you exactly how to configure IPSEC failover between a Cisco ASA and A Palo Alto.


1 ASA, 2 wan circuits

1 Palo, 1 wan circuit


img 58815cb40f57f


Let’s assume at the ASA side is our primary WAN circuit and is the backup circuit we have just added.


I’m assuming you’ve already configured WAN failover, but if you have not click here to learn how to do that.

Now let’s configure the Site to Site VPN:

object network LAN



object network EASTLAN



object network EASTLAN2



object-group network EASTNETWORKS

network-object object EASTLAN

network-object object EASTLAN2


access-list VPN extended permit ip object-group EASTNETWORKS

nat (inside,outside1) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookup

nat (inside,outside2) source static EASTNETWORKS EASTNETWORKS destination static EASTNETWORKS EASTNETWORKS no-proxy-arp route-lookup

crypto ikev1 enable outside1

crypto ikev1 enable outside2

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map outside_map 10 match address VPN

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer

crypto map outside_map 10 set ikev1 transform-set ESP-AES_SHA

crypto map outside_map interface outside1

crypto map outside_map interface outside2

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key PASSWORD

isakmp keepalive threshold 10 retry 5



Now let’s configure the Palo side. This side is going to be mainly screenshots.

First configure 2 tunnel interfaces, 1 with an IP of and one without an IP. Put them both in the trusted zone so that VPN traffic will flow properly without rules. We require one with an IP because we will be sourcing pings from it later. This network will be advertised to the ASA and this is NOT a route based VPN. This is a policy based VPN. The Cisco ASA does NOT support route based VPN.
img 58816319474b5

Now create a route for the East lan of with the next hop interface as tunnel 1, this tunnel should have a normal distance of 10

Create a second route for the East lan of with the next hop interface as tunnel 2, this tunnel should have a distance of 11


img 588584de15eca

Now create your IKE profile.
img 5881638cc0ac0

Also create your IPSEC profile.
img 5881639eb9472

Now we need to create two IKE Gateways, one for each WAN circuit at the ASA.
img 588163caf22d0
img 588163d36d37c
img 588163e133f68
img 588163e80ce9f

Let’s finish the tunnels off by creating two IPSEC tunnels.

Tunnel one will be to the main circuit of the ASA. Notice on this tunnel we use the “tunnel monitor”. This will send pings to (The ASA’s lan interface). These pings will be sourced from the outgoing interface, tunnel.1 This is why we needed to give it an IP and then advertise that subnet to the ASA. This way the ASA can return pings to and the tunnel will remain up.

img 5885850060b60

The failover profile I created was this.

img 5885857ec498f

img 5881642d48bae

Here’s the second tunnel. Notice here we do not need the tunnel monitor.

img 588164542913e
img 588164607cdfc


That’s it! Now let’s test.
Let’s shut down the main WAN circuit on the ASA.
img 588164f6bb7da

Boom failover occurred!
img 5881650bc3571

So how does it work? The main tunnel stays up and it’s able to be monitored thanks to the IP on the tunnel.1 interface and the tunnel monitoring. As soon as those poings sourced from tunnel 1 start to fail, that tunnel is torn down and the static route is NOT “active”. This means our backup route takes over and is able to negotiate the tunnel with the second wan interface.

Leave a comment