Can anyone please explain the behaviour of VPN tunnels during the failover on PAN.
Does the ISAKMP and IPSEC SA table gets passed on to the standby unit ?
Does the VPN tunnels will re-estalish the session again on the new active unit after the failover? what would be the downtime that the users will experience for vpn tunnels?
While it has been a while since I had to fail over firewalls. In the past I have upgraded a active/passive PAN's that I was VPN'ed into and duiring a failover, my connection was not dropped. The sessions should be handed over to the passive unit and everything should continue to function. At most in testing I have seen a few ping drops. So a video conference or phone call might get dropped.
Hope that helps.
IPSec SAs are synced but not the IKE SAs. So normally everything works fine during failover with - as @OtakarKlier mentionned - with a few pings lost (in most cases I had only one or two pings lost).
But because of the not synced IKE SAs you need to be careful. In the past I hat connections that were no longer established when IPSec timout was reached and IKE SA wasn't renewed so far. (Probably depends on the IKE/IPSec implelementation on the other side). Since then after a failover I manually (/with a script) renew all IKE SAs and the problem is solved.
It is worth mentioning what cluster are you running! Because the smallest boxes are using so called HA-lite, which doesn't support IPsec SA sync.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!