https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277547#M46251 <P>We solved it by repeating the process (recreating the VTI), and we also tested the failover successfully. Everything is now working as expected based on this SK:<BR /><A href="https://support.checkpoint.com/results/sk/sk156812" target="_blank">https://support.checkpoint.com/results/sk/sk156812</A></P> Thu, 28 May 2026 06:35:08 GMT RemoteUser 2026-05-28T06:35:08Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277414#M46239 <P>Hi Mates,<BR /><BR />After configuring two numbered VTIs with static routes and different priorities, when the primary tunnel goes down, traffic does <STRONG>not</STRONG> fail over to the backup tunnel. Any idea please?</P> Tue, 26 May 2026 09:56:29 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277414#M46239 RemoteUser 2026-05-26T09:56:29Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277416#M46241 <P>Are you using DPD and how are the return routes configured?</P> Tue, 26 May 2026 11:33:35 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277416#M46241 Chris_Atkinson 2026-05-26T11:33:35Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277417#M46242 <P>I'm using permanent tunnel on the community:<BR />set static-route x.x.x.x/24 nexthop gateway address 169.254.x.x priority 1 on<BR />set static-route x.x.x.x/24 nexthop gateway address 169.254.x.x priority 2 on<BR />set static-route x.x.x.x/24 ping on</P> Tue, 26 May 2026 11:43:27 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277417#M46242 RemoteUser 2026-05-26T11:43:27Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277425#M46243 <P>When the first tunnel is down, did you check, in bash, with the command ip route get &lt;ip_of_a_remote_host&gt; what route is used to reach the remote host?</P> <P>Both remote hop (169.254.x.x) are pingable from the gateway?</P> Tue, 26 May 2026 12:50:16 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277425#M46243 simonemantovani 2026-05-26T12:50:16Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277429#M46244 <P>My configuration looks something like this:</P> <P>set static-route 10.x.x.x/24 nexthop gateway address 172.20.x.x priority 1 on<BR />set static-route 10.x.x.x/24 nexthop gateway address 172.20.x.x monitored-ip 192.168.x.x on<BR />set static-route 10.x.x.x/24 nexthop gateway address 172.20.x.x monitored-ip-option fail-any<BR />set static-route 10.x.x.x/24 nexthop gateway logical vpnt10 priority 2 on</P> <P>Make sure you have a monitored IP set for the primary so it knows when to use the backup.</P> Tue, 26 May 2026 13:06:07 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277429#M46244 CaseyB 2026-05-26T13:06:07Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277430#M46245 <P>Based on this sk&nbsp;<A href="https://support.checkpoint.com/results/sk/sk156812" target="_blank">https://support.checkpoint.com/results/sk/sk156812</A></P> <P>The configuration reported by&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/100677">@RemoteUser</a>&nbsp;should be consistent, eventually,&nbsp;It might be worth checking whether pings are allowed.</P> Tue, 26 May 2026 13:38:23 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277430#M46245 simonemantovani 2026-05-26T13:38:23Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277431#M46246 <P>I wonder if this is really enough for failover, or if something else is still needed</P> Tue, 26 May 2026 13:41:14 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277431#M46246 RemoteUser 2026-05-26T13:41:14Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277432#M46247 <P>As a first step, I would check if ping is ok, if yes, you can proceed with further checks, for example, by checking which route is used when the first vpn is down.</P> Tue, 26 May 2026 13:46:03 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277432#M46247 simonemantovani 2026-05-26T13:46:03Z https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277547#M46251 <P>We solved it by repeating the process (recreating the VTI), and we also tested the failover successfully. Everything is now working as expected based on this SK:<BR /><A href="https://support.checkpoint.com/results/sk/sk156812" target="_blank">https://support.checkpoint.com/results/sk/sk156812</A></P> Thu, 28 May 2026 06:35:08 GMT https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN-VTI-with-Static-Route-Failover-on-ClusterXL/m-p/277547#M46251 RemoteUser 2026-05-28T06:35:08Z