topic Re: PA HA failover and IPSEC connection shows inactive in General Topics

PA HA failover and IPSEC connection shows inactive

MP18 — Sun, 05 May 2019 15:06:04 GMT

Yesterday during PAN OS upgrade when Passive PA became active I saw that our IPSEC connections stopped working.

CLI shows status as inactive

I did clear vpn command

test phase 1 and phase 2 still samething.

Only way to make this work was via restarting the remote device.

Need to know what config we can do on the current ipsec connection so VPN works seamlessly when ha failover happens?

Re: PA HA failover and IPSEC connection shows inactive

BPry — Mon, 06 May 2019 21:42:14 GMT

@MP18,

Do you have 'replace protection' enabled on the IPSec Tunnel in question?

The reason it didn't come back up when you cleared it was because the remote device still believed the tunnel was active and the keys were valid. It would have come back naturally if it encountered a re-key event more than likely. If you could have access the remote device, clearing both ike-sa and ipsec-sa on either peer and letting it rebuild would have likely worked.

Re: PA HA failover and IPSEC connection shows inactive

MP18 — Mon, 06 May 2019 21:47:01 GMT

Yes we have that enabled.

But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.

Only 4 ping were lost.

Only way Tunnel came back was to reboot the remote device.

Clearing test ike and ipsec on PA were of no help.

Does this mean that everytime i do this i need to restart the remote device?

Any other config i can use to avoid this?

Re: PA HA failover and IPSEC connection shows inactive

BPry — Mon, 06 May 2019 22:31:05 GMT

But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.

Only 4 ping were lost.

Just because it is working on Azure doesn't mean it will work properly on this tunnel. Azure has a very odd default configuration if you've followed the listed PAN guide when setting up the tunnel.

Only way Tunnel came back was to reboot the remote device.

So to verify; you logged into the remote device and also cleared the ike-sa and ipsec-sa from the CLI prior to restarting the device? I would guess the answer here is no and the restart would have cleared that information and allowed the ends to negotiate the connection again.

Clearing test ike and ipsec on PA were of no help.
Clearing on one peer would do nothing to tell the peer device it needs to re-negotiate the tunnel.

Any other config i can use to avoid this?

Configuring tunnel monitoring would have identified the issue and cleared both ends allowing them to re-negotiate.

Re: PA HA failover and IPSEC connection shows inactive

MP18 — Mon, 06 May 2019 22:33:45 GMT

So If i confiure Tunnel Monitor on PA only and will it identify if tunnel is down?

Do not know if other device supports tunnel monitor or not.

Re: PA HA failover and IPSEC connection shows inactive

BPry — Mon, 06 May 2019 22:50:08 GMT

@MP18,

Correct. The firewall would then know that the tunnel isn't responding properly and will attempt to re-key the tunnel ahead of schedule.

Re: PA HA failover and IPSEC connection shows inactive

MP18 — Mon, 06 May 2019 22:52:48 GMT

Thanks for helping me out

Much appreicated!!!