https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/448301#M100802 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109121">@a.jones</a> ,</P><P>&nbsp;</P><P>It is difficult to troubleshoot your issue without more details.&nbsp; With that said, have you considered leaving the /30?&nbsp; Since you are moving to active/passive, then you do not need separate IP addresses for the passive firewall.&nbsp; The same IP addresses are configured on both.&nbsp; The IP addresses on the passive firewall do not respond to traffic until it becomes active.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Thu, 18 Nov 2021 00:37:56 GMT TomYoung 2021-11-18T00:37:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/448284#M100801 <P>Hi All,</P><P>&nbsp;</P><P>Help here will be appreciated.</P><P>I am migrating a pair of PA-5220's to Active-Passive as they are currently Active-Active. First job in the task is to change the interfaces from /30 to /29 subnets. This is to ensure that both firewalls sit within the same subnet rather than be in isolated /30s. The migration is needed as the VPNs only reside on the Active-Primary and not Active-Secondary so there is no VPN resilience. Floating IP can't be used as it doesn't work without the interfaces being in the same subnet (tried and tested).</P><P>&nbsp;</P><P>The issue I have is when I change the interfaces to the /29 subnet - it is only the subnet mask changing, not the IP - I see the VPNs time out and fail. BGP to the local routers stays established, traffic flow through the firewall is good and unimpacted bar a ping or two drop during the interface change.</P><P>&nbsp;</P><P>I have reselected the local peer IP in the IKE-GW settings and manually pushed a test vpn command to re-establish the VPN. Even after 20 minutes of trying the VPNs stay down.</P><P>&nbsp;</P><P>When I revert back to the /30 interfaces, a test vpn command brings the VPN up immediately.</P><P>&nbsp;</P><P>Any ideas? System logs don't show errors, I could see the Ike request okay.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Wed, 17 Nov 2021 23:51:37 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/448284#M100801 a.jones 2021-11-17T23:51:37Z https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/448301#M100802 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109121">@a.jones</a> ,</P><P>&nbsp;</P><P>It is difficult to troubleshoot your issue without more details.&nbsp; With that said, have you considered leaving the /30?&nbsp; Since you are moving to active/passive, then you do not need separate IP addresses for the passive firewall.&nbsp; The same IP addresses are configured on both.&nbsp; The IP addresses on the passive firewall do not respond to traffic until it becomes active.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Thu, 18 Nov 2021 00:37:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/448301#M100802 TomYoung 2021-11-18T00:37:56Z https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/465516#M102598 <P>This was a funny one that I resolved in the end. For some reason in active-active mode it didn't like both interfaces in the same subnet with the VPN on one firewall. With only the Active Primary in a /29 and the Active Secondary isolated in a /30 the VPN stayed up. If both firewalls were part of the same /29 the VPN was pulled down. It was an acceptable configuration for 24 hours until we fully migrated to an active-passive scenario.</P> Mon, 14 Feb 2022 15:05:12 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-issue-on-interface-subnet-change/m-p/465516#M102598 a.jones 2022-02-14T15:05:12Z