topic Re: IPSEC tunnel not working post HA failover in General Topics

IPSEC tunnel not working post HA failover

SutareMayur — Fri, 07 Feb 2020 07:59:16 GMT

Hello Friends,

We have Palo Alto firewalls (various models like 3050, 5220 and 3220) which are in HA (active-passive mode). IPSEC tunnels are working fine when traffic is on active gateway. The issue is, when we failover traffic on passive gateway, internet works fine but my tunnel resources becomes unreachable. When i checked tunnel status on gateway, it shows Phase-2 is up but Phase-1 is down.

Then we had to manually initiate traffic from gateway by test vpn commands and after 2-3 mins, tunnel resources becomes reachable. my HA1 and HA2 links are up. Also i see IPSEC SAs getting copied from active to passive. But facing this issues when failover happens. All gateways are running on 9.0.3-h3 but we had this issue on 8.1.x also. Also this issue is not gateway specific, we are facing it on all HA clusters.

Is any one faced such issues ??

Re: IPSEC tunnel not working post HA failover

kiwi — Fri, 07 Feb 2020 10:00:33 GMT

Hi @SutareMayur ,

Did you confgure Tunnel Monitor ?

I'm guessing the tunnel should come back up after the re-key interval but with tunnel monitor it will be faster.

Hope this helps,

-Kiwi.

Re: IPSEC tunnel not working post HA failover

SutareMayur — Fri, 07 Feb 2020 10:18:59 GMT

@kiwi I dont think tunnel monitor will help here. I do not want to failover IPSEC traffic from tunnel one to other. I have only one IPSEC tunnel and traffic should get failover to other firewall when i do firewall HA failover.

- Mayur

Re: IPSEC tunnel not working post HA failover

kiwi — Fri, 07 Feb 2020 11:12:11 GMT

Hi @SutareMayur ,

It seemed to have helped here:

https://live.paloaltonetworks.com/t5/General-Topics/PA-HA-failover-and-IPSEC-connection-shows-inactive/td-p/259907

Cheers,

-Kiwi.

Re: IPSEC tunnel not working post HA failover

SutareMayur — Thu, 13 Feb 2020 04:12:25 GMT

@kiwi,

Thanks for your response.

I'll try it out and let you know.

Mayur

Re: IPSEC tunnel not working post HA failover

triceh — Mon, 21 Jun 2021 22:28:51 GMT

Hi,

@SutareMayur

Did configuring Tunnel monitor fix the issue? Or did you solve it in some other way?

Re: IPSEC tunnel not working post HA failover

SutareMayur — Tue, 29 Jun 2021 02:50:06 GMT

Hi @triceh ,

Somehow issue got disappeared post moving fw to 9.1.x. I didn't made any changes.

Re: IPSEC tunnel not working post HA failover

triceh — Tue, 29 Jun 2021 06:41:12 GMT

Hi,

Alright, i appreciate the response.
Thanks for sharing.

Brgds,

Re: IPSEC tunnel not working post HA failover

NaveenAlakurthi — Fri, 04 Feb 2022 01:42:24 GMT

We are facing similar issue with a HA pair. Can you share which PANOS version in 9.1.x resolved the issue ?? our firewalls are on 9.1.12-h3.

Any help would be highly appreciated.

Re: IPSEC tunnel not working post HA failover

Olha_Osadcha — Tue, 22 Feb 2022 16:42:50 GMT

The same issue on 10.1.3

test vpn ike-sa

test vpn ipsec-sa

helps to make tunnels functional. but after the next HA failover the issue return

Re: IPSEC tunnel not working post HA failover

bmartinsmm — Thu, 30 Jun 2022 21:40:45 GMT

Did you every determine a fix beyond issuing the test vpn commands? I have one tunnel that requires this anytime we fail from active to passive.

Re: IPSEC tunnel not working post HA failover

vnt90 — Fri, 23 Sep 2022 12:55:44 GMT

9.1.14 h4-- just upgraded HA pair. When failed over to secondary fw the phase 2 indicators (10 tunnels) typically are red. We run the cli test vpn ipsec-sa tunnel commands to trigger them to go green which most do within a couple of seconds. However some tunnels will not go green unless we disable the tunnel on the primary fw. ? We usually wait several minutes before we do the disable thing.. When all are indicators (phase 2) go green we failback to primary fw and again have to now disable the tunnels on the secondary before the primary indicators go green. Comments welcome. thnks in advance