https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/352987#M87264 <P>Hi,</P><P>&nbsp;</P><P>Can anyone suggest, if we failover from Active to Passive unit on PA firewall. will this maintains the established sessions by default.&nbsp;</P><P>&nbsp;</P><P>Or we have to additionally enable some other setting to make this enable (should maintain session during cluster failover).</P><P>&nbsp;</P><P>Additionally, one more observation while we did recent failover....We have 09 IPSec tunnels created on PA (phase-1 and phase-2 both active) .</P><P>- When we did failover from active to passive (and passive unit became the new active).</P><P>- We observed that approx 5-6 IPSec tunnels (phase-1 and phase-2 both) were active on new active unit.</P><P>- However rest 3-4 IPSec tunnels are showing Phase-2 down (but phase-1 active) on new Active but showing active (both phase-1 and phase-2) on new passive units.</P><P>&nbsp;</P><P>Rgds&nbsp;</P> Wed, 30 Sep 2020 14:34:29 GMT Jimmy20 2020-09-30T14:34:29Z https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/352987#M87264 <P>Hi,</P><P>&nbsp;</P><P>Can anyone suggest, if we failover from Active to Passive unit on PA firewall. will this maintains the established sessions by default.&nbsp;</P><P>&nbsp;</P><P>Or we have to additionally enable some other setting to make this enable (should maintain session during cluster failover).</P><P>&nbsp;</P><P>Additionally, one more observation while we did recent failover....We have 09 IPSec tunnels created on PA (phase-1 and phase-2 both active) .</P><P>- When we did failover from active to passive (and passive unit became the new active).</P><P>- We observed that approx 5-6 IPSec tunnels (phase-1 and phase-2 both) were active on new active unit.</P><P>- However rest 3-4 IPSec tunnels are showing Phase-2 down (but phase-1 active) on new Active but showing active (both phase-1 and phase-2) on new passive units.</P><P>&nbsp;</P><P>Rgds&nbsp;</P> Wed, 30 Sep 2020 14:34:29 GMT https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/352987#M87264 Jimmy20 2020-09-30T14:34:29Z https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/353150#M87286 <P>Hello,</P> <P>Check out these resources on HA.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK</A></P> <P>However the sessions should go over to the new Active unit. I have seen in the past where the VPN tunnels didnt like the failover, these were mostly to other products other than PAN. However PAN to PAN, they seem to be OK. See if passing traffic over the tunnels helps them establish, say a continuous ping.</P> <P>&nbsp;</P> <P>But check the logs to see why the tunnels are not coming up from the far side, i.e. the firewall receiving the tunnel connection.</P> <P>&nbsp;</P> <P>Regards,</P> Wed, 30 Sep 2020 21:48:37 GMT https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/353150#M87286 OtakarKlier 2020-09-30T21:48:37Z https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/353154#M87290 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144686">@Jimmy20</a>,</P> <P>&nbsp;</P> <P>In my experience&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;is absolutely correct. I would normally expect a PAN to PAN tunnel to stay online during a failover, but once you start crossing vendors things can be a bit hit or miss. A lot of this has to do with DPD and other similar settings not playing correctly if they are setup on one side or another.</P> <P>I'll still occasionally have issues with PAN to PAN tunnels, but DPD and tunnel monitoring will easily correct any issues that would be caused by this and bring the tunnels back online.</P> <P>&nbsp;</P> Wed, 30 Sep 2020 22:12:31 GMT https://live.paloaltonetworks.com/t5/general-topics/session-disconnect-during-a-p-failover/m-p/353154#M87290 BPry 2020-09-30T22:12:31Z