https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/574057#M115394 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P> <P>Thanks for this explanation... I understand. Imagine the following scenario :</P> <P>&nbsp;</P> <P>You have an HA Pair with a hundred VPN IPSec tunnels on it. The HA pair is configured in <STRONG>passive mode Gateway</STRONG>.</P> <P>After a failover, is there a way to prevent the loss of those tunnels without involving peers ?</P> Tue, 23 Jan 2024 09:09:32 GMT seag 2024-01-23T09:09:32Z https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573523#M115317 <P>Hello guys,</P> <P>&nbsp;</P> <P>Sorry if this topic has been already discussed before but I could not find an answer.</P> <P>&nbsp;</P> <P>I would like to know why phase 1 is not synchronized between HA pair. Is there a particular reason ?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 18 Jan 2024 19:42:29 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573523#M115317 seag 2024-01-18T19:42:29Z https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573716#M115340 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270478">@seag</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>That's an interesting question! I would think the reason why is that the passive firewall is not involved in the IKE negotiation process.&nbsp; Since the primary firewall proposes and establishes phase 1 with the peer, the passive firewall has no phase 1 SA.&nbsp;</SPAN></P> Fri, 19 Jan 2024 22:36:20 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573716#M115340 JayGolf 2024-01-19T22:36:20Z https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573735#M115347 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270478">@seag</a>,</P> <P>Primary reason as far as I'm aware is the same issue that you'll see even on vendors that allow SAs to sync, the sequence number wouldn't stay in sync anyways. So Fortinet as an example you can continue to&nbsp;<EM>receive&nbsp;</EM>traffic after a failover without a re-key, but as soon as outbound traffic is sent a re-key is required.</P> <P>PAN and some other vendors have taken the stance that simply configuring it to utilize tunnel monitoring and renegotiating is a better path forward that has consistent behavior.&nbsp;</P> Fri, 19 Jan 2024 23:19:19 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/573735#M115347 BPry 2024-01-19T23:19:19Z https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/574057#M115394 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P> <P>Thanks for this explanation... I understand. Imagine the following scenario :</P> <P>&nbsp;</P> <P>You have an HA Pair with a hundred VPN IPSec tunnels on it. The HA pair is configured in <STRONG>passive mode Gateway</STRONG>.</P> <P>After a failover, is there a way to prevent the loss of those tunnels without involving peers ?</P> Tue, 23 Jan 2024 09:09:32 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-phase-1-not-synchronized-between-ha-pair/m-p/574057#M115394 seag 2024-01-23T09:09:32Z