https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245139#M69889 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91304">@R_Sharma</a></P><P>&nbsp;</P><P>IPSec SAs are synced but not the IKE SAs. So normally everything works fine during failover with - as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;mentionned - with a few pings lost (in most cases I had only one or two pings lost).&nbsp;</P><P>But because of the not synced IKE SAs you need to be careful. In the past I hat connections that were no longer established when IPSec timout was reached and IKE SA wasn't renewed so far. (Probably depends on the IKE/IPSec implelementation on the other side). Since then after a failover I manually (/with a script) renew all IKE SAs and the problem is solved.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Mon, 07 Jan 2019 18:58:51 GMT Remo 2019-01-07T18:58:51Z https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245054#M69881 <P>Hi</P><P>Can anyone please explain the behaviour of VPN tunnels during the failover on PAN.</P><P>Does the ISAKMP and IPSEC SA table gets passed on to the standby unit ?</P><P>Does the VPN tunnels will re-estalish the session again&nbsp; on the new active unit after the failover? what would be the downtime that the users will experience for vpn tunnels?</P><P>&nbsp;</P><P>Regards,</P> Mon, 07 Jan 2019 04:51:20 GMT https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245054#M69881 R_Sharma 2019-01-07T04:51:20Z https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245116#M69887 <P>Hello,</P><P>While it has been a while since I had to fail over firewalls. In the past I have upgraded a active/passive PAN's that I was VPN'ed into and duiring a failover, my connection was not dropped. The sessions should be handed over to the passive unit and everything should continue to function. At most in testing I have seen a few ping drops. So a video conference or phone call might get dropped.</P><P>&nbsp;</P><P>Hope that helps.</P> Mon, 07 Jan 2019 15:49:56 GMT https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245116#M69887 OtakarKlier 2019-01-07T15:49:56Z https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245139#M69889 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91304">@R_Sharma</a></P><P>&nbsp;</P><P>IPSec SAs are synced but not the IKE SAs. So normally everything works fine during failover with - as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;mentionned - with a few pings lost (in most cases I had only one or two pings lost).&nbsp;</P><P>But because of the not synced IKE SAs you need to be careful. In the past I hat connections that were no longer established when IPSec timout was reached and IKE SA wasn't renewed so far. (Probably depends on the IKE/IPSec implelementation on the other side). Since then after a failover I manually (/with a script) renew all IKE SAs and the problem is solved.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Mon, 07 Jan 2019 18:58:51 GMT https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245139#M69889 Remo 2019-01-07T18:58:51Z https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245321#M69925 <P>It is worth mentioning what cluster are you running! Because the smallest boxes are using so called HA-lite, which doesn't support IPsec SA sync.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/device/device-high-availability/ha-lite" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/device/device-high-availability/ha-lite</A></P> Wed, 09 Jan 2019 12:46:19 GMT https://live.paloaltonetworks.com/t5/general-topics/behaviour-of-vpn-tunnels-in-ha-pair-during-the-failover/m-p/245321#M69925 aleksandar.astardzhiev 2019-01-09T12:46:19Z